Merge pull request #115 from jackctj117/KeyGen-benchmark

JCE: Implements KeyGenerator benchmark

.github/workflows/android_gradle.yml

@@ -0,0 +1,52 @@
+name: Android Gradle Build test logic
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        type: string
+      jdk_distro:
+        required: true
+        type: string
+      jdk_version:
+        required: true
+        type: string
+
+jobs:
+  build_wolfssljni:
+    runs-on: ${{ inputs.os }}
+    steps:
+      - name: Clone wolfcrypt-jni
+        uses: actions/checkout@v4
+
+      # Clone native wolfSSL
+      - name: Clone native wolfSSL
+        uses: actions/checkout@v4
+        with:
+          repository: 'wolfssl/wolfssl'
+          path: IDE/Android/app/src/main/cpp/wolfssl
+
+      # Copy options.h.in to blank options.h
+      - name: Create blank options.h
+        run: cp IDE/Android/app/src/main/cpp/wolfssl/wolfssl/options.h.in IDE/Android/app/src/main/cpp/wolfssl/wolfssl/options.h
+
+      # Setup Java
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          distribution: ${{ inputs.jdk_distro }}
+          java-version: ${{ inputs.jdk_version }}
+
+      # Gradle assembleDebug
+      - name: Gradle assembleDebug
+        run: cd IDE/Android && ls && ./gradlew assembleDebug
+
+      # Gradle assembleDebugUnitTest
+      - name: Gradle assembleDebugUnitTest
+        run: cd IDE/Android && ls && ./gradlew assembleDebugUnitTest
+
+      # Gradle assembleDebugAndroidTest
+      - name: Gradle assembleDebugAndroidTest
+        run: cd IDE/Android && ls && ./gradlew assembleDebugAndroidTest
+

.github/workflows/infer.yml

@@ -0,0 +1,126 @@
+name: Common Linux test logic
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        type: string
+      jdk_distro:
+        required: true
+        type: string
+      jdk_version:
+        required: true
+        type: string
+      wolfssl_configure:
+        required: true
+        type: string
+
+jobs:
+  build_wolfcryptjni:
+    runs-on: ${{ inputs.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      # Download Facebook Infer
+      - name: Download Infer
+        run: wget https://github.com/facebook/infer/releases/download/v1.1.0/infer-linux64-v1.1.0.tar.xz
+      - name: Extract Infer
+        run: tar -xvf infer-linux64-v1.1.0.tar.xz
+      - name: Symlink Infer
+        run: ln -s "$GITHUB_WORKSPACE/infer-linux64-v1.1.0/bin/infer" /usr/local/bin/infer
+      - name: Test Infer get version
+        run: infer --version
+
+      # Download Junit JARs
+      - name: Download junit-4.13.2.jar
+        run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar
+      - name: Download hamcrest-all-1.3.jar
+        run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar
+
+      # Build native wolfSSL
+      - name: Build native wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: wolfSSL/wolfssl
+          ref: master
+          path: wolfssl
+          configure: ${{ inputs.wolfssl_configure }}
+          check: false
+          install: true
+
+      # Setup Java
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          distribution: ${{ inputs.jdk_distro }}
+          java-version: ${{ inputs.jdk_version }}
+
+      - name: Set JUNIT_HOME
+        run: |
+          echo "JUNIT_HOME=$GITHUB_WORKSPACE/junit" >> "$GITHUB_ENV"
+      - name: Set LD_LIBRARY_PATH
+        run: |
+          echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV"
+
+      # Only copy appropriate makefile for platform currently being tested
+      - name: Copy makefile
+        run: |
+          if [ "$RUNNER_OS" == "Linux" ]; then
+              cp makefile.linux makefile
+          elif [ "$RUNNER_OS" == "macOS" ]; then
+              cp makefile.macosx makefile
+          else
+            echo "$RUNNER_OS not supported"
+            exit 1
+          fi
+        shell: bash
+
+      - name: Build JNI library
+        run: PREFIX=$GITHUB_WORKSPACE/build-dir make
+
+      # ant build-jni-debug
+      - name: Build jce-debug JAR (ant build-jni-debug)
+        run: ant build-jni-debug
+      - name: Run Java tests (ant test)
+        run: ant test
+      - name: Clean JAR
+        run: ant clean
+
+      # ant build-jni-release
+      - name: Build jce-debug JAR (ant build-jni-release)
+        run: ant build-jni-release
+      - name: Run Java tests (ant test)
+        run: ant test
+      - name: Clean JAR
+        run: ant clean
+
+      # ant build-jce-debug
+      - name: Build jce-debug JAR (ant build-jce-debug)
+        run: ant build-jce-debug
+      - name: Run Java tests (ant test)
+        run: ant test
+      - name: Clean JAR
+        run: ant clean
+
+      # ant build-jce-release
+      - name: Build jce-debug JAR (ant build-jce-release)
+        run: ant build-jce-release
+      - name: Run Java tests (ant test)
+        run: ant test
+      - name: Clean JAR
+        run: ant clean
+
+      - name: Show logs on failure
+        if: failure() || cancelled()
+        run: |
+          cat build/reports/*.txt
+
+      # Run Facebook Infer
+      - name: Run Facebook Infer
+        run: ./scripts/infer.sh
+
+      - name: Shows Infer report on failure
+        if: failure()
+        run: cat infer-out/report.txt
+

.github/workflows/main.yml

@@ -55,11 +55,13 @@ jobs:
       wolfssl_configure: ${{ matrix.wolfssl_configure }}
 
   # Temurin JDK (Linux, Mac)
+  # JDK 8 seems to have been removed from Temurin macos, with 8 we see the error
+  # Could not find satisfied version for SemVer '8'
   linux-temurin:
     strategy:
       matrix:
         os: [ 'ubuntu-latest', 'macos-latest' ]
-        jdk_version: [ '8', '11', '17', '21' ]
+        jdk_version: [ '11', '17', '21' ]
         wolfssl_configure: [ '--enable-jni' ]
     name: ${{ matrix.os }} (Temurin JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
     uses: ./.github/workflows/linux-common.yml
@@ -100,3 +102,72 @@ jobs:
       jdk_distro: "zulu"
       jdk_version: ${{ matrix.jdk_version }}
       wolfssl_configure: ${{ matrix.wolfssl_configure }}
+
+  # ------------------ RSA 1024 min size sanity check -------------------
+  # Only check one Linux and Mac JDK version as a sanity check. Using Zulu,
+  # but this can be expanded if needed.
+  # wolfSSL ./configure:
+  #     --enable-jni CFLAGS="-DRSA_MIN_SIZE=1024
+  linux-zulu-rsa-min-size:
+    strategy:
+      matrix:
+        os: [ 'ubuntu-latest', 'macos-latest' ]
+        jdk_version: [ '11' ]
+        wolfssl_configure: [ '--enable-jni CFLAGS="-DRSA_MIN_SIZE=1024"' ]
+    name: ${{ matrix.os }} (Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
+    uses: ./.github/workflows/linux-common.yml
+    with:
+      os: ${{ matrix.os }}
+      jdk_distro: "zulu"
+      jdk_version: ${{ matrix.jdk_version }}
+      wolfssl_configure: ${{ matrix.wolfssl_configure }}
+
+  # ------------------ Facebook Infer static analysis -------------------
+  # Run Facebook infer over PR code, only running on Linux with one
+  # JDK/version for now.
+  fb-infer:
+    strategy:
+      matrix:
+        os: [ 'ubuntu-latest' ]
+        jdk_version: [ '11' ]
+        wolfssl_configure: [ '--enable-jni --enable-all' ]
+    name: Facebook Infer (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure }})
+    uses: ./.github/workflows/infer.yml
+    with:
+      os: ${{ matrix.os }}
+      jdk_distro: "zulu"
+      jdk_version: ${{ matrix.jdk_version }}
+      wolfssl_configure: ${{ matrix.wolfssl_configure }}
+
+  # ----------------------- Android Gradle build ------------------------
+  # Run Android gradle build over PR code, only running on Linux with one
+  # JDK/version for now.
+  android-gradle:
+    strategy:
+      matrix:
+        os: [ 'ubuntu-latest' ]
+        jdk_version: [ '21' ]
+    name: Android Gradle (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }})
+    uses: ./.github/workflows/android_gradle.yml
+    with:
+      os: ${{ matrix.os }}
+      jdk_distro: "zulu"
+      jdk_version: ${{ matrix.jdk_version }}
+
+  # --------------------- Maven build - test pom.xml --------------------
+  # Run Maven build over PR code, running on Linux and Mac with only one
+  # JDK/version for now.
+  maven-build:
+    strategy:
+      matrix:
+        os: [ 'ubuntu-latest', 'macos-latest' ]
+        jdk_version: [ '21' ]
+        wolfssl_configure: [ '--enable-jni' ]
+    name: Maven Build (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }})
+    uses: ./.github/workflows/maven.yml
+    with:
+      os: ${{ matrix.os }}
+      jdk_distro: "zulu"
+      jdk_version: ${{ matrix.jdk_version }}
+      wolfssl_configure: ${{ matrix.wolfssl_configure }}
+

.github/workflows/maven.yml

@@ -0,0 +1,73 @@
+name: Maven Build (pom.xml)
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        type: string
+      jdk_distro:
+        required: true
+        type: string
+      jdk_version:
+        required: true
+        type: string
+      wolfssl_configure:
+        required: true
+        type: string
+
+jobs:
+  build_wolfcryptjni:
+    runs-on: ${{ inputs.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build native wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: wolfSSL/wolfssl
+          ref: master
+          path: wolfssl
+          configure: ${{ inputs.wolfssl_configure }}
+          check: false
+          install: true
+
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          distribution: ${{ inputs.jdk_distro }}
+          java-version: ${{ inputs.jdk_version }}
+
+      - name: Set LD_LIBRARY_PATH
+        run: |
+          echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV"
+
+      # Only copy appropriate makefile for platform currently being tested
+      - name: Copy makefile
+        run: |
+          if [ "$RUNNER_OS" == "Linux" ]; then
+              cp makefile.linux makefile
+          elif [ "$RUNNER_OS" == "macOS" ]; then
+              cp makefile.macosx makefile
+          else
+            echo "$RUNNER_OS not supported"
+            exit 1
+          fi
+        shell: bash
+
+      - name: Build JNI library
+        run: PREFIX=$GITHUB_WORKSPACE/build-dir make
+
+      # Maven build
+      - name: mvn compile
+        run: mvn compile
+
+      - name: mvn test
+        run: mvn test
+
+      - name: mvn package
+        run: mvn package
+
+      - name: mvn clean
+        run: mvn clean
+

.gitignore

@@ -4,7 +4,7 @@ build/
 lib/
 
 # Generated Javadocs
-docs/
+docs/javadoc
 
 # makefile, since copied from makefile.linux or makefile.macosx
 makefile
@@ -17,6 +17,11 @@ rpm/spec
 *.rpm
 wolfcrypt*.tar.gz
 
+# Android
+IDE/Android/.idea/deploymentTargetDropDown.xml
+IDE/Android/app/.cxx/
+IDE/Android/app/src/main/cpp/wolfssl
+
 # Windows
 IDE/WIN/.vs
 IDE/WIN/wolfcryptjni.vcxproj.user
@@ -25,6 +30,12 @@ IDE/WIN/DLL Debug FIPS
 IDE/WIN/DLL Release
 IDE/WIN/DLL Release FIPS
 
+# infer RacerD
+infer-out/
+
 # Maven output directory
 target/
 
+# Generated system cacerts.wks and jssecacerts.wks
+examples/certs/systemcerts/cacerts.wks
+examples/certs/systemcerts/jssecacerts.wks

ChangeLog.md

@@ -1,3 +1,48 @@
+### wolfCrypt JNI Release 1.8.0 (01/23/2025)
+
+Release 1.8.0 of wolfCrypt JNI and JCE has bug fixes and new features including:
+
+**New JCE Functionality:**
+- Add Java security property support for mapping JKS/PKCS12 to WKS type (PR 83)
+
+**JNI and JCE Changes:**
+- Run FIPS CASTs once up front to prevent threaded app errors (PR 84, 91)
+
+**Example Changes:**
+- Define `WOLFSSL_CUSTOM_CONFIG` in Android Studio project builds (PR 85)
+- Add basic JCE cryptography benchmark app (PR 88, 89, 93, 94)
+
+**Testing Changes:**
+- Add GitHub Action testing Maven (pom.xml) build on macOS and Linux (PR 82)
+
+The wolfCrypt JNI/JCE Manual is available at:
+https://www.wolfssl.com/documentation/manuals/wolfcryptjni/. For build
+instructions and more details comments, please check the manual.
+
+### wolfCrypt JNI Release 1.7.0 (11/11/2024)
+
+Release 1.7.0 of wolfCrypt JNI and JCE has bug fixes and new features including:
+
+**New JCE Functionality:**
+- New WolfSSLKeyStore (WKS) KeyStore implementation for FIPS 140-2/3 compliance (PR 67)
+
+**JNI and JCE Changes:**
+- Remove call to BigInteger.longValueExact(), not available on some Java versions (PR 76)
+- Detect `RSA_MIN_SIZE` in tests, add `Rsa.RSA_MIN_SIZE` helper (PR 77)
+- Fix pointer use in native `X509CheckPrivateKey()` (PR 80)
+
+**Example Changes:**
+- Set keytool path correctly in `system-cacerts-to-wks.sh` (PR 78)
+- Add example Android Studio project (IDE/Android) (PR 79)
+
+**Testing Changes:**
+- Run Facebook Infer on pull requests with GitHub Actions (PR 74)
+- Add Android Gradle build with GitHub Actions to run on all pull requests (PR 79)
+
+The wolfCrypt JNI/JCE Manual is available at:
+https://www.wolfssl.com/documentation/manuals/wolfcryptjni/. For build
+instructions and more details comments, please check the manual.
+
 ### wolfCrypt JNI Release 1.6.0 (4/17/2024)
 
 Release 1.6.0 of wolfCrypt JNI and JCE has bug fixes and new features including:

IDE/Android/.gitignore

@@ -0,0 +1,13 @@
+*.iml
+.gradle
+/local.properties
+/.idea/caches
+/.idea/libraries
+/.idea/modules.xml
+/.idea/workspace.xml
+/.idea/navEditor.xml
+/.idea/assetWizardSettings.xml
+.DS_Store
+/build
+/captures
+.externalNativeBuild

IDE/Android/.idea/.gitignore

@@ -0,0 +1,3 @@
+# Default ignored files
+/shelf/
+/workspace.xml

IDE/Android/.idea/codeStyles/Project.xml

@@ -0,0 +1,29 @@
+<component name="ProjectCodeStyleConfiguration">
+  <code_scheme name="Project" version="173">
+    <Objective-C-extensions>
+      <file>
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Import" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Macro" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Typedef" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Enum" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Constant" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Global" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Struct" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="FunctionPredecl" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Function" />
+      </file>
+      <class>
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Property" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="Synthesize" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="InitMethod" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="StaticMethod" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="InstanceMethod" />
+        <option name="com.jetbrains.cidr.lang.util.OCDeclarationKind" value="DeallocMethod" />
+      </class>
+      <extensions>
+        <pair source="cpp" header="h" fileNamingConvention="NONE" />
+        <pair source="c" header="h" fileNamingConvention="NONE" />
+      </extensions>
+    </Objective-C-extensions>
+  </code_scheme>
+</component>

IDE/Android/.idea/compiler.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="CompilerConfiguration">
+    <bytecodeTargetLevel target="17" />
+  </component>
+</project>

IDE/Android/.idea/gradle.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="GradleMigrationSettings" migrationVersion="1" />
+  <component name="GradleSettings">
+    <option name="linkedExternalProjectsSettings">
+      <GradleProjectSettings>
+        <option name="externalProjectPath" value="$PROJECT_DIR$" />
+        <option name="gradleJvm" value="#GRADLE_LOCAL_JAVA_HOME" />
+        <option name="modules">
+          <set>
+            <option value="$PROJECT_DIR$" />
+            <option value="$PROJECT_DIR$/app" />
+          </set>
+        </option>
+        <option name="resolveExternalAnnotations" value="false" />
+      </GradleProjectSettings>
+    </option>
+  </component>
+</project>

IDE/Android/.idea/jarRepositories.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="RemoteRepositoriesConfiguration">
+    <remote-repository>
+      <option name="id" value="central" />
+      <option name="name" value="Maven Central repository" />
+      <option name="url" value="https://repo1.maven.org/maven2" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="jboss.community" />
+      <option name="name" value="JBoss Community repository" />
+      <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="BintrayJCenter" />
+      <option name="name" value="BintrayJCenter" />
+      <option name="url" value="https://jcenter.bintray.com/" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="Google" />
+      <option name="name" value="Google" />
+      <option name="url" value="https://dl.google.com/dl/android/maven2/" />
+    </remote-repository>
+  </component>
+</project>

IDE/Android/.idea/misc.xml

@@ -0,0 +1,22 @@
+<project version="4">
+  <component name="DesignSurface">
+    <option name="filePathToZoomLevelMap">
+      <map>
+        <entry key="app/src/main/res/layout/activity_main.xml" value="0.1983695652173913" />
+      </map>
+    </option>
+  </component>
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_17" default="true" project-jdk-name="jbr-17" project-jdk-type="JavaSDK">
+    <output url="file://$PROJECT_DIR$/build/classes" />
+  </component>
+  <component name="ProjectType">
+    <option name="id" value="Android" />
+  </component>
+  <component name="VisualizationToolProject">
+    <option name="state">
+      <ProjectState>
+        <option name="scale" value="1.1" />
+      </ProjectState>
+    </option>
+  </component>
+</project>

IDE/Android/.idea/vcs.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/../.." vcs="Git" />
+    <mapping directory="$PROJECT_DIR$/app/src/main/cpp/wolfssl" vcs="Git" />
+  </component>
+</project>

IDE/Android/README.md

@@ -0,0 +1,92 @@
+# Android Studio Example Project
+
+This is an example Android Studio project file for wolfcrypt-jni / wolfJCE.
+This project should be used for reference only.
+
+Tool and version information used when testing this project:
+
+- Ubuntu 20.04.3 LTS
+- Android Studio Chipmunk 2021.2.1
+- Android Gradle Plugin Version: 4.2.2
+- Gradle Version: 7.1.3
+- API 30: Android 11
+- Emulator: Pixel 5 API 31
+
+The following sections outline steps required to run this example on an
+Android device or emulator.
+
+## 1. Add Native wolfSSL Library Source Code to Project
+
+This example project is already set up to compile and build the native
+wolfSSL library source files, but the wolfSSL files themselves have not been
+included in this package. You must download or link an appropriate version
+of wolfSSL to this project using one of the options below.
+
+The project looks for the directory
+`wolfcrypt-jni/IDE/Android/app/src/main/cpp/wolfssl` for wolfSSL source code.
+This can added in multiple ways:
+
+- OPTION A: Download the latest wolfSSL library release from www.wolfssl.com,
+unzip it, rename it to `wolfssl`, and place it in the direcotry
+`wolfcrypt-jni/IDE/Android/app/src/main/cpp/`.
+
+```
+$ unzip wolfssl-X.X.X.zip
+$ mv wolfssl-X.X.X wolfcrypt-jni/IDE/Android/app/src/main/cpp/wolfssl
+```
+
+- OPTION B: Alternatively GitHub can be used to clone wolfSSL:
+
+```
+$ cd /IDE/Android/app/src/main/cpp/
+$ git clone https://github.com/wolfssl/wolfssl
+$ cp wolfssl/options.h.in wolfssl/options.h
+```
+
+- OPTION C: A symbolic link to a wolfssl directory on the system by using:
+
+```
+$ cd /IDE/Android/app/src/main/cpp/
+$ ln -s /path/to/local/wolfssl ./wolfssl
+```
+
+## 2. Update Java Symbolic Links (Only applies to Windows Users)
+
+The following Java source directory is a Unix/Linux symlink:
+
+```
+wolfcrypt-jni/IDE/Android/app/src/main/java/com/wolfssl
+```
+
+This will not work correctly on Windows, and a new Windows symbolic link needs
+to be created in this location. To do so:
+
+1) Open Windows Command Prompt (Right click, and "Run as Administrator")
+2) Navigate to `wolfcrypt-jni\IDE\Android\app\src\main\java\com`
+3) Delete the existing symlink file (it shows up as a file called "wolfssl")
+
+```
+del wolfssl
+```
+
+4) Create a new relative symbolic link with `mklink`:
+
+```
+mklink /D wolfssl ..\..\..\..\..\..\..\src\java\com\wolfssl\
+```
+
+## 3. Import and Build the Example Project with Android Studio
+
+1) Open the Android Studio project by double clicking on the `Android` folder
+in wolfcrypt-jni/IDE/. Or, from inside Android Studio, open the `Android`
+project located in the wolfcrypt-jni/IDE directory.
+
+2) Build the project and run MainActivity from app -> java/com/example.wolfssl.
+This will ask for permissions to access the certificates in the /sdcard/
+directory and then print out the server certificate information on success.
+
+## Support
+
+Please contact wolfSSL support at support@wolfssl.com with any questions or
+feedback.
+

IDE/Android/app/.gitignore

@@ -0,0 +1 @@
+/build

IDE/Android/app/build.gradle

@@ -0,0 +1,50 @@
+apply plugin: 'com.android.application'
+
+android {
+    compileSdk 33
+    defaultConfig {
+        applicationId "com.example.wolfssl"
+        /* Min SDK should stay at 24 to detect if we try to use newer APIs
+         * than were available in that Android SDK. We have users who are still
+         on SDK 24 (ref ZD 18311) */
+        minSdkVersion 24
+        targetSdkVersion 33
+        versionCode 1
+        versionName "1.0"
+        testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
+        externalNativeBuild {
+            cmake {
+                cppFlags ""
+            }
+        }
+    }
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_11
+        targetCompatibility JavaVersion.VERSION_11
+    }
+    buildTypes {
+        release {
+            minifyEnabled false
+            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
+        }
+    }
+    externalNativeBuild {
+        cmake {
+            path "src/main/cpp/CMakeLists.txt"
+        }
+    }
+    sourceSets {
+        main.java.srcDirs += '../../../src/main/java'
+        test.java.srcDirs += '../../../src/main/test'
+    }
+    namespace 'com.example.wolfssl'
+}
+
+dependencies {
+    implementation fileTree(dir: 'libs', include: ['*.jar'])
+    implementation 'com.android.support:appcompat-v7:28.0.0'
+    implementation 'com.android.support.constraint:constraint-layout:2.0.4'
+    testImplementation 'junit:junit:4.13.2'
+    androidTestImplementation 'com.android.support.test:runner:1.0.2'
+    androidTestImplementation 'com.android.support.test.espresso:espresso-core:3.0.2'
+}

IDE/Android/app/proguard-rules.pro

@@ -0,0 +1,21 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile

IDE/Android/app/src/main/AndroidManifest.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+    <uses-permission android:name="android.permission.INTERNET"/>
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme"
+        android:requestLegacyExternalStorage="true"
+        android:preserveLegacyExternalStorage="true">
+        <activity android:name=".MainActivity" android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

IDE/Android/app/src/main/cpp/CMakeLists.txt

@@ -0,0 +1,379 @@
+# For more information about using CMake with Android Studio, read the
+# documentation: https://d.android.com/studio/projects/add-native-code.html
+
+# Sets the minimum version of CMake required to build the native library.
+cmake_minimum_required(VERSION 3.4.1)
+
+# Define project as both C and ASM for cases for SP has assembly enabled
+project("wolfcryptjni-gradle" C ASM)
+
+# set wolfCrypt JNI location as environment variable, change if needed
+set(wolfcryptjni_DIR ${CMAKE_SOURCE_DIR}/../../../../../../)
+set(wolfssl_DIR      ${CMAKE_SOURCE_DIR}/wolfssl/)
+
+# set warnings as errors, used in this example project but may be different
+# in production apps/environments.
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Werror")
+
+# ---------------- wolfSSL Normal vs. FIPS Ready Selection ---------------------
+# Select if wolfSSL is normal ("normal") or FIPS Ready ("fipsready")
+# wolfSSL FIPS Ready is available for download on the wolfssl.com download page.
+# For more information on wolfSSL FIPS Ready see:
+#
+# https://www.wolfssl.com/license/fips/
+#
+# FIPS Ready requires different preprocessor flags, files, and a specific file
+# ordering as set up below.
+set(WOLFSSL_PKG_TYPE "normal")
+
+# -------------------------- Math Library Selection ----------------------------
+# wolfCrypt math library selection, used to switch on below. Should be one of:
+#     fastmath
+#     spmath
+set(WOLFSSL_MATH_LIB "spmath")
+
+# Add header directories to include paths
+include_directories(
+        ${wolfssl_DIR}
+        ${wolfcryptjni_DIR}/jni/include
+)
+
+# ---------------------------- Preprocessor Defines ----------------------------
+
+if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal")
+        # Add preprocessor defines to CFLAGS, these match those placed into
+        # wolfssl/options.h by configure if using: "./configure --enable-jni".
+        # This list may be configurable depending on use case and desired
+        # optimizations.
+        add_definitions(-DWC_RSA_BLINDING -DWOLFSSL_SHA224 -DWOLFSSL_SHA384
+                -DWOLFSSL_SHA512 -DHAVE_HKDF -DNO_DSA -DHAVE_ECC
+                -DECC_SHAMIR -DWC_RSA_PSS -DWOLFSSL_BASE64_ENCODE
+                -DWOLFSSL_SHA3 -DHAVE_POLY1305 -DHAVE_CHACHA -DHAVE_HASHDRBG
+                -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES -DHAVE_FFDHE_2048
+                -DWOLFSSL_TLS13 -DHAVE_EXTENDED_MASTER -DWOLFSSL_JNI
+                -DHAVE_EX_DATA -DWOLFSSL_DTLS -DOPENSSL_EXTRA -DOPENSSL_ALL
+                -DHAVE_CRL -DHAVE_OCSP -DHAVE_CRL_MONITOR
+                -DPERSIST_SESSION_CACHE -DPERSIST_CERT_CACHE -DATOMIC_USER
+                -DHAVE_PK_CALLBACKS -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN
+                -DHAVE_SNI -DHAVE_ALPN -DNO_RC4 -DHAVE_ENCRYPT_THEN_MAC
+                -DNO_MD4 -DWOLFSSL_ENCRYPTED_KEYS -DHAVE_DH_DEFAULT_PARAMS
+                -DNO_ERROR_QUEUE -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING
+                -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID
+                -DWOLFSSL_ERROR_CODE_OPENSSL -DWOLFSSL_ALWAYS_VERIFY_CB
+                -DWOLFSSL_VERIFY_CB_ALL_CERTS -DWOLFSSL_EXTRA_ALERTS
+                -DHAVE_EXT_CACHE -DWOLFSSL_FORCE_CACHE_ON_TICKET
+                -DWOLFSSL_AKID_NAME -DHAVE_CTS -DNO_DES3 -DGCM_TABLE_4BIT
+                -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT
+                -DHAVE_AESGCM -DSIZEOF_LONG=4 -DSIZEOF_LONG_LONG=8
+                -DWOLFSSL_CUSTOM_CONFIG
+
+                # For gethostbyname()
+                -DHAVE_NETDB_H
+
+                # Defines added for debugging. These can be removed if debug
+                # logging is not needed and will increase performance and reduce
+                # library footprint size if removed.
+                #-DDEBUG_WOLFSSL -DWOLFSSL_ANDROID_DEBUG
+
+                # Defines added for wolfCrypt test and benchmark only, may not
+                # be needed for your own application. Add -DNO_FILESYSTEM to
+                # disable file system use for wolfCrypt test, but make sure
+                # to remove this define in production applications as
+                # filesystem access is required for wolfJCE use.
+                -DUSE_CERT_BUFFERS_2048 -DUSE_CERT_BUFFERS_256
+                -DNO_WRITE_TEMP_FILES -DNO_MAIN_DRIVER
+        )
+
+elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready")
+        # The wolfCrypt FIPS In Core Integrity checksum will vary with compiler
+        # versions, runtime library versions, target hardware, and build type.
+        # Anytime the module is shifted up or down in memory or loaded from a new
+        # memory location the hash will change. This is expected during normal
+        # development cycles but should be stable in a production deployment.
+        # The verifyCore[] hash can be manually updated in
+        # 'wolfcrypt/src/fips_test.c' and the app recompiled. Or, the define
+        # WOLFCRYPT_FIPS_CORE_HASH_VALUE can be set below, which is helpful
+        # for Android Studio, which builds for all these architectures in the same
+        # build.
+        #
+        # The hash values below are only for reference and will need to
+        # be updated to match your build. To update this value:
+        #
+        #  1. Build and install your app which contains wolfCrypt FIPS
+        #  2. Run your app on each architecture, looking at the logcat output
+        #     to see the expected verifyCore[] hash value.
+        #  3. Copy the expected hash value from logcat to the proper architecture
+        #     section below.
+        #  4. Re-build your application now that the expected hash value has
+        #     been set.
+        #  5. Re-install and re-run your application on each architecture to
+        #     confirm the hash is stable and application runs as expected.
+        #
+        # NOTE: If using wolfSSL FIPS Ready or FIPS proper with this sample
+        # application and run into the scenario where the verifyCore[] hash output
+        # at runtime is empty, consider checking/increasing the size of the
+        # MAX_FIPS_DATA_SZ define in 'wolfcrypt/src/fips_test.c'.
+
+        if("${ANDROID_ABI}" MATCHES "arm64-v8a")
+                # https://developer.android.com/ndk/guides/abis#arm64-v8a
+                add_definitions(-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=DF2FF40654C405467072356FBA6C02A88F17E79B08A1A8F3A887C0F6AB4E4650)
+        elseif("${ANDROID_ABI}" MATCHES "armeabi-v7a")
+                # https://developer.android.com/ndk/guides/abis#v7a
+                add_definitions(-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=DF2FF40654C405467072356FBA6C02A88F17E79B08A1A8F3A887C0F6AB4E4650)
+        elseif("${ANDROID_ABI}" MATCHES "x86_64")
+                # https://developer.android.com/ndk/guides/abis#86-64
+                add_definitions(-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=DF2FF40654C405467072356FBA6C02A88F17E79B08A1A8F3A887C0F6AB4E4650)
+        elseif("${ANDROID_ABI}" MATCHES "x86")
+                # https://developer.android.com/ndk/guides/abis#x86
+                add_definitions(-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=DF2FF40654C405467072356FBA6C02A88F17E79B08A1A8F3A887C0F6AB4E4650)
+        endif()
+
+        # Add preprocessor defines to CFLAGS, these match those placed into
+        # wolfssl/options.h by configure if using the following configure on a Unix/Linux
+        # platform with a wolfSSL FIPS Ready GPLv3 bundle:
+        #
+        # ./configure --enable-fips=ready --enable-jni
+        #
+        # This list may be configurable depending on use case and desired
+        # optimizations, being careful not to break FIPS compatibility if targeting
+        # FIPS proper in the future. Please contact support@wolfssl.com for assistance
+        # properly compiling for use with wolfCrypt FIPS variants.
+        add_definitions(
+                -DWOLFSSL_FIPS_READY -DHAVE_FIPS -DHAVE_FIPS_VERSION=7
+                -DHAVE_FIPS_VERSION_MAJOR=7 -DHAVE_FIPS_VERSION_MINOR=0
+                -DHAVE_FIPS_VERSION_PATCH=0 -DWC_RNG_SEED_CB -DHAVE_THREAD_LS
+
+                -DWOLFSSL_WOLFSSH -DNO_DO178 -DHAVE_REPRODUCIBLE_BUILD -DWC_NO_ASYNC_THREADING
+                -DNO_OLD_TLS -DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SNI
+                -DHAVE_KEYING_MATERIAL -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES
+                -DHAVE_EXTENDED_MASTER -DHAVE_ENCRYPT_THEN_MAC -DWOLFSSL_JNI -DHAVE_EX_DATA
+                -DKEEP_PEER_CERT -DWOLFSSL_ALWAYS_VERIFY_CB -DWOLFSSL_DTLS -DOPENSSL_EXTRA
+                -DOPENSSL_ALL -DWOLFSSL_ERROR_CODE_OPENSSL -DHAVE_CRL -DHAVE_CRL_MONITOR
+                -DHAVE_OCSP -DPERSIST_SESSION_CACHE -DPERSIST_CERT_CACHE -DATOMIC_USER
+                -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN -DWOLFSSL_CERT_REQ -DWOLFSSL_KEY_GEN
+                -DHAVE_ALPN -DWOLFSSL_ALT_CERT_CHAINS -DSESSION_CERTS -DWOLFSSL_ENCRYPTED_KEYS
+                -DWOLFSSL_SYS_CA_CERTS -DWOLFSSL_ALT_NAMES -DWOLFSSL_EITHER_SIDE
+                -DWOLFSSL_TICKET_HAVE_ID -DWOLFSSL_CERT_NAME_ALL
+                -DHAVE_SERVER_RENEGOTIATION_INFO -DWOLFSSL_ASN_TEMPLATE -DWOLFSSL_ASN_PRINT
+                -DWOLFSSL_BASE64_ENCODE -DERROR_QUEUE_PER_THREAD -DNO_ERROR_QUEUE
+                -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWOLFSSL_USE_ALIGN
+                -DWOLFSSL_PUBLIC_MP
+
+                -DWC_RSA_BLINDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWC_RSA_NO_PADDING
+
+                -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR -DECC_MIN_KEY_SZ=192 -DHAVE_ECC_CDH
+                -DECC_USER_CURVES -DHAVE_ECC192 -DHAVE_ECC224 -DHAVE_ECC256 -DHAVE_ECC384
+                -DHAVE_ECC521 -DWOLFSSL_ECDSA_SET_K -DWOLFSSL_VALIDATE_ECC_IMPORT
+                -DWOLFSSL_VALIDATE_ECC_KEYGEN
+
+                -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DHAVE_FFDHE_2048
+                -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192
+                -DHAVE_DH_DEFAULT_PARAMS
+
+                -DHAVE_HKDF -DHAVE_PBKDF2 -DHAVE_HASHDRBG -DWC_SRTP_KDF -DWOLFSSL_SRTP
+
+                -DHAVE_AESGCM -DGCM_TABLE_4BIT -DWOLFSSL_AESGCM_STREAM -DHAVE_AESCCM
+                -DWOLFSSL_AES_COUNTER -DWOLFSSL_CMAC -DWOLFSSL_AES_OFB -DWOLFSSL_AES_CFB
+                -DWOLFSSL_AES_XTS -DWOLFSSL_AESXTS_STREAM -DWOLFSSL_AES_DIRECT
+                -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP -DWOLFSSL_AES_XTS -DHAVE_AES_KEYWRAP
+
+                -DHAVE_ED25519 -DHAVE_ED25519_KEY_IMPORT -DHAVE_ED448 -DHAVE_ED448_KEY_IMPORT
+                -DWOLFSSL_ED448_STREAMING_VERIFY
+
+                -DHAVE_CURVE25519 -DHAVE_CURVE448
+
+                -DWOLFSSL_SHA224 -DWOLFSSL_SHA384 -DWOLFSSL_SHA512 -DWOLFSSL_NOSHA512_224
+                -DWOLFSSL_NOSHA512_256 -DWOLFSSL_SHA3 -DWOLFSSL_SHAKE128 -DWOLFSSL_SHAKE256
+
+                -DNO_DSA -DNO_RC4 -DNO_MD4 -DNO_DES3 -DNO_DES3_TLS_SUITES
+
+                -DSIZEOF_LONG=4 -DSIZEOF_LONG_LONG=8 -DWOLFSSL_CUSTOM_CONFIG
+
+                # For gethostbyname()
+                -DHAVE_NETDB_H
+
+                # Enable below options for wolfSSL debug logging
+                #-DDEBUG_WOLFSSL -DWOLFSSL_ANDROID_DEBUG
+
+                # Below options are added only for wolfCrypt test and benchmark applications.
+                # These can be left off / removed when integrating into a real-world application.
+                # Add -DNO_FILESYSTEM to disable file system use for wolfCrypt test, but make sure
+                # to remove this define in production applications as filesystem access is required
+                # for wolfJSSE use.
+                -DUSE_CERT_BUFFERS_2048 -DUSE_CERT_BUFFERS_256
+                -DNO_WRITE_TEMP_FILES -DNO_MAIN_DRIVER
+        )
+endif()
+
+if ("$WOLFSSL_MATH_LIB" MATCHES "fastmath")
+        # Use fastmath library
+        add_definitions(-DUSE_FAST_MATH -DTFM_ECC256 -DTFM_NO_ASM)
+
+elseif("${WOLFSSL_MATH_LIB}" MATCHES "spmath")
+        # Use SP math Library
+        add_definitions(
+                -DWOLFSSL_HAVE_SP_RSA -DWOLFSSL_SP_4096
+                -DWOLFSSL_HAVE_SP_DH
+                -DWOLFSSL_HAVE_SP_ECC -DWOLFSSL_SP_384 -DWOLFSSL_SP_521
+                -DWOLFSSL_SP_LARGE_CODE
+                -DFP_MAX_BITS=16384 -DSP_INT_BITS=8192)
+
+        # SP Math architecture-specific settings (ex: assembly optimizations)
+        if("${ANDROID_ABI}" MATCHES "arm64-v8a")
+                # Using ASM for SP, need to use WOLFSSL_SP_MATH instead of WOLFSSL_SP_MATH_ALL
+                add_definitions(-DWOLFSSL_SP_MATH)
+                add_definitions(-DWOLFSSL_SP_ASM -DWOLFSSL_SP_ARM64 -DWOLFSSL_SP_ARM64_ASM -DHAVE___UINT128_T)
+        elseif("${ANDROID_ABI}" MATCHES "armeabi-v7a")
+                # Add SP optimizations for ARMv7 here when available.
+                # Not using ASM, need to use WOLFSSL_SP_MATH_ALL for SW-only implementation
+                add_definitions(-DWOLFSSL_SP_MATH_ALL)
+        elseif("${ANDROID_ABI}" MATCHES "x86_64")
+                # Using ASM for SP, need to use WOLFSSL_SP_MATH instead of WOLFSSL_SP_MATH_ALL
+                add_definitions(-DWOLFSSL_SP_MATH)
+                add_definitions(-DWOLFSSL_SP_ASM -DWOLFSSL_SP_X86_64 -DWOLFSSL_SP_X86_64_ASM -DHAVE___UINT128_T)
+                list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_x86_64_asm.S)
+        elseif("${ANDROID_ABI}" MATCHES "x86")
+                # Add SP optimizations for X86 here when available.
+                # Not using ASM, need to use WOLFSSL_SP_MATH_ALL for SW-only implementation
+                add_definitions(-DWOLFSSL_SP_MATH_ALL)
+        else()
+                # Not using ASM, need to use WOLFSSL_SP_MATH_ALL for SW-only implementation
+                add_definitions(-DWOLFSSL_SP_MATH_ALL)
+        endif()
+endif()
+
+# --------------------------- wolfSSL and wolfCrypt Source Files -----------------------------------
+# Add TLS sources to TLS_SOURCES list and remove files that are included inline by other files
+aux_source_directory(${wolfssl_DIR}/src TLS_SOURCES)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/bio.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/conf.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_bn.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_asn1.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_certman.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_crypto.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_load.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_misc.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_p7p12.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_sess.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/x509.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/x509_str.c)
+
+if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal")
+        # Add crypto sources to CRYPTO_SOURCES, remove files that are included inline by other files
+        aux_source_directory(${wolfssl_DIR}/wolfcrypt/src CRYPTO_SOURCES)
+        list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp.c)
+        list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/misc.c)
+
+elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready")
+        # FIPS Ready needs to explicitly order files for in-core integrity check to work properly.
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wolfcrypt_first.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/hmac.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/random.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/kdf.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/rsa.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ecc.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/aes.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha256.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha512.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha3.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/dh.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/cmac.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/curve448.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ed448.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/curve25519.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ed25519.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/pwdbased.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/fips.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/fips_test.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wolfcrypt_last.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/hash.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/cpuid.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/logging.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_port.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/error.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_encrypt.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/signature.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_arm32.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_arm64.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_armthumb.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_c32.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_c64.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_cortexm.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_dsp32.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_int.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sp_x86_64.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wolfmath.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/memory.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/asn.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/coding.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/md5.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/pwdbased.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/pkcs12.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/tfm.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_lms.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_lms_impl.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_xmss.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_xmss_impl.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/fe_operations.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ge_operations.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/fe_448.c)
+        list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ge_448.c)
+endif()
+
+# wolfSSL will be compiled as a SHARED library
+add_library(wolfssl SHARED
+        ${CRYPTO_SOURCES}
+        ${TLS_SOURCES}
+)
+
+# set_target_properties(wolfssl PROPERTIES LIBRARY_OUTPUT_DIRECTORY
+# ${CMAKE_SOURCE_DIR}/../jniLibs/${ANDROID_ABI})
+
+# wolfCrypt JNI/JCE library wil be compiled as SHARED library
+# wolfCrypt JNI Java files are tied into build in Module build.gradle file
+add_library(wolfcryptjni SHARED
+        ${wolfcryptjni_DIR}/jni/jni_aes.c
+        ${wolfcryptjni_DIR}/jni/jni_aesgcm.c
+        ${wolfcryptjni_DIR}/jni/jni_asn.c
+        ${wolfcryptjni_DIR}/jni/jni_chacha.c
+        ${wolfcryptjni_DIR}/jni/jni_curve25519.c
+        ${wolfcryptjni_DIR}/jni/jni_des3.c
+        ${wolfcryptjni_DIR}/jni/jni_dh.c
+        ${wolfcryptjni_DIR}/jni/jni_ecc.c
+        ${wolfcryptjni_DIR}/jni/jni_ed25519.c
+        ${wolfcryptjni_DIR}/jni/jni_error.c
+        ${wolfcryptjni_DIR}/jni/jni_feature_detect.c
+        ${wolfcryptjni_DIR}/jni/jni_fips.c
+        ${wolfcryptjni_DIR}/jni/jni_hmac.c
+        ${wolfcryptjni_DIR}/jni/jni_jce_wolfsslkeystore.c
+        ${wolfcryptjni_DIR}/jni/jni_logging.c
+        ${wolfcryptjni_DIR}/jni/jni_md5.c
+        ${wolfcryptjni_DIR}/jni/jni_native_struct.c
+        ${wolfcryptjni_DIR}/jni/jni_pwdbased.c
+        ${wolfcryptjni_DIR}/jni/jni_rng.c
+        ${wolfcryptjni_DIR}/jni/jni_rsa.c
+        ${wolfcryptjni_DIR}/jni/jni_sha.c
+        ${wolfcryptjni_DIR}/jni/jni_wolfcrypt.c
+        ${wolfcryptjni_DIR}/jni/jni_wolfobject.c
+        ${wolfcryptjni_DIR}/jni/jni_wolfssl_cert_manager.c
+)
+
+# set_target_properties(wolfcryptjni PROPERTIES LIBRARY_OUTPUT_DIRECTORY
+# ${CMAKE_SOURCE_DIR}/../jniLibs/${ANDROID_ABI})
+
+# Find the android log library, store into variable ${lib-log}
+find_library(lib-log log)
+
+# Link libwolfssl to android log library
+target_link_libraries(
+        wolfssl
+        ${lib-log}
+)
+
+# Link libwolfcryptjni to libwolfssl
+target_link_libraries(
+        wolfcryptjni
+        wolfssl
+)

IDE/Android/app/src/main/java/com/example/wolfssl/MainActivity.java

@@ -0,0 +1,95 @@
+/* MainActivity.java
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+package com.example.wolfssl;
+
+import android.support.v7.app.AppCompatActivity;
+import android.os.Bundle;
+import android.view.View;
+import android.widget.Button;
+import android.widget.TextView;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
+
+import com.wolfssl.provider.jce.WolfCryptProvider;
+
+public class MainActivity extends AppCompatActivity {
+
+    private View.OnClickListener buttonListener = new View.OnClickListener() {
+        @Override
+        public void onClick(View v) {
+            TextView tv = (TextView) findViewById(R.id.sample_text);
+
+            try {
+                testFindProvider(tv);
+            } catch (Exception e) {
+                e.printStackTrace();
+            }
+        }
+    };
+
+    private void setDisplayText(String s)
+    {
+        runOnUiThread(() -> {
+            TextView tv = (TextView) findViewById(R.id.sample_text);
+            tv.setText(s);
+        });
+    }
+
+    private void appendDisplayText(String s)
+    {
+        runOnUiThread(() -> {
+            TextView tv = (TextView) findViewById(R.id.sample_text);
+            tv.append(s);
+        });
+    }
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_main);
+
+        Button button = (Button) findViewById(R.id.button);
+        button.setOnClickListener(buttonListener);
+
+        setDisplayText("wolfCrypt JNI/JCE Android Studio Example app\n");
+    }
+
+    public void testFindProvider(TextView tv)
+            throws NoSuchProviderException, NoSuchAlgorithmException {
+
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
+
+        Provider p = Security.getProvider("wolfJCE");
+        if (p == null) {
+            appendDisplayText("Unable to find wolfJCE provider\n");
+            return;
+        }
+        else {
+            appendDisplayText("Successfully found wolfJCE provider\n");
+            return;
+        }
+    }
+}

IDE/Android/app/src/main/res/drawable-v24/ic_launcher_foreground.xml

@@ -0,0 +1,34 @@
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:aapt="http://schemas.android.com/aapt"
+    android:width="108dp"
+    android:height="108dp"
+    android:viewportWidth="108"
+    android:viewportHeight="108">
+    <path
+        android:fillType="evenOdd"
+        android:pathData="M32,64C32,64 38.39,52.99 44.13,50.95C51.37,48.37 70.14,49.57 70.14,49.57L108.26,87.69L108,109.01L75.97,107.97L32,64Z"
+        android:strokeWidth="1"
+        android:strokeColor="#00000000">
+        <aapt:attr name="android:fillColor">
+            <gradient
+                android:endX="78.5885"
+                android:endY="90.9159"
+                android:startX="48.7653"
+                android:startY="61.0927"
+                android:type="linear">
+                <item
+                    android:color="#44000000"
+                    android:offset="0.0" />
+                <item
+                    android:color="#00000000"
+                    android:offset="1.0" />
+            </gradient>
+        </aapt:attr>
+    </path>
+    <path
+        android:fillColor="#FFFFFF"
+        android:fillType="nonZero"
+        android:pathData="M66.94,46.02L66.94,46.02C72.44,50.07 76,56.61 76,64L32,64C32,56.61 35.56,50.11 40.98,46.06L36.18,41.19C35.45,40.45 35.45,39.3 36.18,38.56C36.91,37.81 38.05,37.81 38.78,38.56L44.25,44.05C47.18,42.57 50.48,41.71 54,41.71C57.48,41.71 60.78,42.57 63.68,44.05L69.11,38.56C69.84,37.81 70.98,37.81 71.71,38.56C72.44,39.3 72.44,40.45 71.71,41.19L66.94,46.02ZM62.94,56.92C64.08,56.92 65,56.01 65,54.88C65,53.76 64.08,52.85 62.94,52.85C61.8,52.85 60.88,53.76 60.88,54.88C60.88,56.01 61.8,56.92 62.94,56.92ZM45.06,56.92C46.2,56.92 47.13,56.01 47.13,54.88C47.13,53.76 46.2,52.85 45.06,52.85C43.92,52.85 43,53.76 43,54.88C43,56.01 43.92,56.92 45.06,56.92Z"
+        android:strokeWidth="1"
+        android:strokeColor="#00000000" />
+</vector>

IDE/Android/app/src/main/res/drawable/ic_launcher_background.xml

@@ -0,0 +1,170 @@
+<?xml version="1.0" encoding="utf-8"?>
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    android:width="108dp"
+    android:height="108dp"
+    android:viewportWidth="108"
+    android:viewportHeight="108">
+    <path
+        android:fillColor="#008577"
+        android:pathData="M0,0h108v108h-108z" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M9,0L9,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M19,0L19,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M29,0L29,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M39,0L39,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M49,0L49,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M59,0L59,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M69,0L69,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M79,0L79,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M89,0L89,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M99,0L99,108"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,9L108,9"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,19L108,19"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,29L108,29"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,39L108,39"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,49L108,49"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,59L108,59"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,69L108,69"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,79L108,79"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,89L108,89"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M0,99L108,99"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M19,29L89,29"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M19,39L89,39"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M19,49L89,49"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M19,59L89,59"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M19,69L89,69"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M19,79L89,79"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M29,19L29,89"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M39,19L39,89"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M49,19L49,89"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M59,19L59,89"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M69,19L69,89"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+    <path
+        android:fillColor="#00000000"
+        android:pathData="M79,19L79,89"
+        android:strokeWidth="0.8"
+        android:strokeColor="#33FFFFFF" />
+</vector>

IDE/Android/app/src/main/res/layout/activity_main.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<android.support.constraint.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    tools:context=".MainActivity">
+
+    <Button
+        android:id="@+id/button"
+        android:layout_width="320dp"
+        android:layout_height="wrap_content"
+        android:text="Test Provider Lookup"
+        app:layout_constraintBottom_toTopOf="@+id/sample_text"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent" />
+
+    <TextView
+        android:id="@+id/sample_text"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:layout_marginTop="16dp"
+        android:paddingVertical="16pt"
+        android:text="Hello World!"
+        android:textColor="#000000"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintHorizontal_bias="0.461"
+        app:layout_constraintLeft_toLeftOf="parent"
+        app:layout_constraintRight_toRightOf="parent"
+        app:layout_constraintTop_toTopOf="parent"
+        app:layout_constraintVertical_bias="0.067" />
+
+</android.support.constraint.ConstraintLayout>

IDE/Android/app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
+  <background android:drawable="@mipmap/ic_launcher"/>
+  <foreground android:drawable="@mipmap/ic_launcher"/>
+  <monochrome android:drawable="@mipmap/ic_launcher"/>
+</adaptive-icon>

IDE/Android/app/src/main/res/values/colors.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <color name="colorPrimary">#008577</color>
+    <color name="colorPrimaryDark">#00574B</color>
+    <color name="colorAccent">#D81B60</color>
+</resources>

IDE/Android/app/src/main/res/values/strings.xml

@@ -0,0 +1,3 @@
+<resources>
+    <string name="app_name">wolfSSL</string>
+</resources>

IDE/Android/app/src/main/res/values/styles.xml

@@ -0,0 +1,11 @@
+<resources>
+
+    <!-- Base application theme. -->
+    <style name="AppTheme" parent="Theme.AppCompat.Light.DarkActionBar">
+        <!-- Customize your theme here. -->
+        <item name="colorPrimary">@color/colorPrimary</item>
+        <item name="colorPrimaryDark">@color/colorPrimaryDark</item>
+        <item name="colorAccent">@color/colorAccent</item>
+    </style>
+
+</resources>

IDE/Android/build.gradle

@@ -0,0 +1,32 @@
+// Top-level build file where you can add configuration options common to all sub-projects/modules.
+
+buildscript {
+    repositories {
+        google()
+        jcenter()
+        
+    }
+    dependencies {
+        classpath 'com.android.tools.build:gradle:8.3.1'
+        
+        // NOTE: Do not place your application dependencies here; they belong
+        // in the individual module build.gradle files
+    }
+}
+
+allprojects {
+    repositories {
+        google()
+        jcenter()
+    }
+    gradle.projectsEvaluated {
+        tasks.withType(JavaCompile) {
+            options.compilerArgs << "-Xlint:all" << "-Werror"
+            options.deprecation = false
+        }
+    }
+}
+
+task clean(type: Delete) {
+    delete rootProject.buildDir
+}

IDE/Android/gradle.properties

@@ -0,0 +1,17 @@
+# Project-wide Gradle settings.
+# IDE (e.g. Android Studio) users:
+# Gradle settings configured through the IDE *will override*
+# any settings specified in this file.
+# For more details on how to configure your build environment visit
+# http://www.gradle.org/docs/current/userguide/build_environment.html
+# Specifies the JVM arguments used for the daemon process.
+# The setting is particularly useful for tweaking memory settings.
+android.nonFinalResIds=false
+android.nonTransitiveRClass=false
+org.gradle.jvmargs=-Xmx1536m
+# When configured, Gradle will run in incubating parallel mode.
+# This option should only be used with decoupled projects. More details, visit
+# http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects
+# org.gradle.parallel=true
+
+

IDE/Android/gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,6 @@
+#Thu Nov 04 15:51:08 MDT 2021
+distributionBase=GRADLE_USER_HOME
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
+distributionPath=wrapper/dists
+zipStorePath=wrapper/dists
+zipStoreBase=GRADLE_USER_HOME

IDE/Android/gradlew

@@ -0,0 +1,172 @@
+#!/usr/bin/env sh
+
+##############################################################################
+##
+##  Gradle start up script for UN*X
+##
+##############################################################################
+
+# Attempt to set APP_HOME
+# Resolve links: $0 may be a link
+PRG="$0"
+# Need this for relative symlinks.
+while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+        PRG="$link"
+    else
+        PRG=`dirname "$PRG"`"/$link"
+    fi
+done
+SAVED="`pwd`"
+cd "`dirname \"$PRG\"`/" >/dev/null
+APP_HOME="`pwd -P`"
+cd "$SAVED" >/dev/null
+
+APP_NAME="Gradle"
+APP_BASE_NAME=`basename "$0"`
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS=""
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD="maximum"
+
+warn () {
+    echo "$*"
+}
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+}
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "`uname`" in
+  CYGWIN* )
+    cygwin=true
+    ;;
+  Darwin* )
+    darwin=true
+    ;;
+  MINGW* )
+    msys=true
+    ;;
+  NONSTOP* )
+    nonstop=true
+    ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+        JAVACMD="$JAVA_HOME/bin/java"
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD="java"
+    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
+    MAX_FD_LIMIT=`ulimit -H -n`
+    if [ $? -eq 0 ] ; then
+        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+            MAX_FD="$MAX_FD_LIMIT"
+        fi
+        ulimit -n $MAX_FD
+        if [ $? -ne 0 ] ; then
+            warn "Could not set maximum file descriptor limit: $MAX_FD"
+        fi
+    else
+        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
+    fi
+fi
+
+# For Darwin, add options to specify how the application appears in the dock
+if $darwin; then
+    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin ; then
+    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
+    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+    JAVACMD=`cygpath --unix "$JAVACMD"`
+
+    # We build the pattern for arguments to be converted via cygpath
+    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
+    SEP=""
+    for dir in $ROOTDIRSRAW ; do
+        ROOTDIRS="$ROOTDIRS$SEP$dir"
+        SEP="|"
+    done
+    OURCYGPATTERN="(^($ROOTDIRS))"
+    # Add a user-defined pattern to the cygpath arguments
+    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
+        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
+    fi
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    i=0
+    for arg in "$@" ; do
+        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
+        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
+
+        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
+            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
+        else
+            eval `echo args$i`="\"$arg\""
+        fi
+        i=$((i+1))
+    done
+    case $i in
+        (0) set -- ;;
+        (1) set -- "$args0" ;;
+        (2) set -- "$args0" "$args1" ;;
+        (3) set -- "$args0" "$args1" "$args2" ;;
+        (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+    esac
+fi
+
+# Escape application args
+save () {
+    for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
+    echo " "
+}
+APP_ARGS=$(save "$@")
+
+# Collect all arguments for the java command, following the shell quoting and substitution rules
+eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
+
+# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
+if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
+  cd "$(dirname "$0")"
+fi
+
+exec "$JAVACMD" "$@"

IDE/Android/gradlew.bat

@@ -0,0 +1,84 @@
+@if "%DEBUG%" == "" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%" == "" set DIRNAME=.
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS=
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if "%ERRORLEVEL%" == "0" goto init
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto init
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:init
+@rem Get command-line arguments, handling Windows variants
+
+if not "%OS%" == "Windows_NT" goto win9xME_args
+
+:win9xME_args
+@rem Slurp the command line arguments.
+set CMD_LINE_ARGS=
+set _SKIP=2
+
+:win9xME_args_slurp
+if "x%~1" == "x" goto execute
+
+set CMD_LINE_ARGS=%*
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
+
+:end
+@rem End local scope for the variables with windows NT shell
+if "%ERRORLEVEL%"=="0" goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
+exit /b 1
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega

IDE/Android/settings.gradle

@@ -0,0 +1 @@
+include ':app'

IDE/WIN/README.md

@@ -137,8 +137,12 @@ section titled `/* Configuration */`:
 ```
 #define WOLFSSL_KEY_GEN
 #define HAVE_CRL
+#define OPENSSL_ALL
 ```
 
+If also building wolfSSL JNI/JSSE, additional defines may be needed. Please
+reference the Windows build documentation for wolfSSL JNI/JSSE if so.
+
 After editing and saving the `user_settings.h` file, select one of the following
 DLL Library configurations and build the wolfSSL library solution:
 
@@ -204,8 +208,12 @@ and set the values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and
 ```
 #define WOLFSSL_KEY_GEN
 #define HAVE_CRL
+#define OPENSSL_ALL
 ```
 
+If also building wolfSSL JNI/JSSE, additional defines may be needed. Please
+reference the Windows build documentation for wolfSSL JNI/JSSE if so.
+
 6. Build the `wolfssl-fips` project, which will create a DLL in one of the
 following locations:
 
@@ -230,19 +238,20 @@ in the wolfCrypt tests successfully running.
 See the FIPS User Guide for more details on the FIPS verifyCore hash, or
 email support@wolfssl.com.
 
-## wolfSSL FIPS 140-3 (Upcoming)
+## wolfSSL FIPS 140-3 (Certificate #4718)
 
-To build a version of wolfSSL that has been submitted for FIPS 140-3, use
-the Visual Studio solution file under the `IDE\WIN10` directory inside the
-wolfSSL package:
+To build a wolfSSL FIPS 140-3 variant for use with FIPS 140-3 certificate
+#4718, use the Visual Studio solution file located in the `IDE/WIN10`
+directory inside the wolfSSL package:
 
 ```
 <wolfssl>\IDE\WIN10\wolfssl-fips.sln
 ```
 
 Follow instructions in the above section for 140-2 / 3389, except use the
-following values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and
-`HAVE_FIPS_VERSION_MINOR` in `user_settings.h`:
+following values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`,
+`HAVE_FIPS_VERSION_MAJOR`, `HAVE_FIPS_VERSION_MINOR`, and
+`HAVE_FIPS_VERSION_PATCH` in `user_settings.h`:
 
 ```
 #if 1
@@ -250,8 +259,12 @@ following values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and
 #define HAVE_FIPS
 #undef HAVE_FIPS_VERSION
 #define HAVE_FIPS_VERSION 5
+#undef HAVE_FIPS_VERSION_MAJOR
+#define HAVE_FIPS_VERSION_MAJOR 5
 #undef HAVE_FIPS_VERSION_MINOR
-#define HAVE_FIPS_VERSION_MINOR 1
+#define HAVE_FIPS_VERSION_MINOR 2
+#undef HAVE_FIPS_VERSION_PATCH
+#define HAVE_FIPS_VERSION_PATCH 0
 #endif
 ```
 
@@ -261,8 +274,12 @@ The following additional defines will also need to be added to
 ```
 #define WOLFSSL_KEY_GEN
 #define HAVE_CRL
+#define OPENSSL_ALL
 ```
 
+If also building wolfSSL JNI/JSSE, additional defines may be needed. Please
+reference the Windows build documentation for wolfSSL JNI/JSSE if so.
+
 For additional help, contact support@wolfssl.com.
 
 # Building wolfCrypt JNI/JCE Library

IDE/WIN/wolfcryptjni.vcxproj

@@ -78,6 +78,7 @@
     <ClCompile Include="..\..\jni\jni_feature_detect.c" />
     <ClCompile Include="..\..\jni\jni_fips.c" />
     <ClCompile Include="..\..\jni\jni_hmac.c" />
+    <ClCompile Include="..\..\jni\jni_jce_wolfsslkeystore.c" />
     <ClCompile Include="..\..\jni\jni_logging.c" />
     <ClCompile Include="..\..\jni\jni_md5.c" />
     <ClCompile Include="..\..\jni\jni_native_struct.c" />

IDE/WIN/wolfcryptjni.vcxproj.filters

@@ -170,5 +170,8 @@
     <ClCompile Include="..\..\jni\jni_wolfssl_cert_manager.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\jni\jni_jce_wolfsslkeystore.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>

README.md

@@ -35,7 +35,16 @@ $ make check
 $ sudo make install
 ```
 
-**wolfSSL FIPSv2 Build**:
+**wolfSSL FIPSv2 (FIPS 140-2 Cert 3389) Build**:
+
+```
+$ cd wolfssl-x.x.x-commercial-fips
+$ ./configure --enable-fips=v2 --enable-jni
+$ make check
+$ sudo make install
+```
+
+**wolfSSL FIPSv5 (FIPS 140-3 Cert 4718) Build**:
 
 ```
 $ cd wolfssl-x.x.x-commercial-fips
@@ -62,7 +71,7 @@ on building with Maven. Continue reading here for instructions to build with
 ant.
 
 1) Compile the native wolfCrypt JNI object files. Two makefiles are distributed,
-one for Linux (`makefile.linux`) and one for Mac OSX (`makefile.macosx`). First
+one for Linux (`makefile.linux`) and one for macOS (`makefile.macosx`). First
 copy the makefile for your platform to a file called `makefile`:
 
 ```
@@ -208,7 +217,7 @@ on the current release):
         <dependency>
             <groupId>com.wolfssl</groupId>
             <artifactId>wolfcrypt-jni</artifactId>
-            <version>1.6.0-SNAPSHOT</version>
+            <version>1.8.0-SNAPSHOT</version>
         </dependency>
     </dependencies>
     ...

README_JCE.md

@@ -21,6 +21,65 @@ and Android platforms.
 Pre-compiled and signed wolfCrypt JNI/JCE JAR's are included with the stable
 releases of the JCE provider. See below for more details.
 
+### System and Security Property Support
+---------
+
+wolfJCE supports the following System and Security properties for behavior
+customization and debugging.
+
+#### Security Property Support
+
+The following Java Security properties can be set in the `java.security`
+file for JCE provider customization:
+
+| Security Property | Default | To Enable | Description |
+| --- | --- | --- | --- |
+| wolfjce.wks.iterationCount | 210,000 | Numeric | PBKDF2 iteration count (10,000 minimum) |
+| wolfjce.wks.maxCertChainLength | 100 | Integer | Max cert chain length |
+| wolfjce.mapJKStoWKS | UNSET | true | Register fake JKS KeyStore service mapped to WKS |
+| wolfjce.mapPKCS12toWKS | UNSET | true | Register fake PKCS12 KeyStore service mapped to WKS |
+
+**wolfjce.mapJKStoWKS** - this Security property should be used with caution.
+When enabled, this will register a "JKS" KeyStore type in wolfJCE, which means
+calling applications using `KeyStore.getInstance("JKS")` will get a KeyStore
+implementation from wolfJCE. BUT, this KeyStore type will actually be a
+WolfSSLKeyStore (WKS) type internally. Loading actual JKS files will fail.
+This can be helpful when FIPS compliance is required, but existing code gets
+a JKS KeyStore instance - and this assumes the caller has the flexibility to
+actually load a real WKS KeyStore file into this KeyStore object. If this
+property is being set at runtime programatically, the wolfJCE provider services
+will need to be refreshed / reloaded, by doing:
+
+```
+WolfCryptProvider prov = (WolfCryptProvider)Security.getProvider("wolfJCE");
+prov.refreshServices();
+```
+
+**wolfjce.mapPKCS12toWKS** - this Security property should be used with caution.
+When enabled, this will register a "PKCS12" KeyStore type in wolfJCE, which
+means calling applications using `KeyStore.getInstance("PKCS12")` will get a
+KeyStore implementation from wolfJCE. BUT, this KeyStore type will actually be a
+WolfSSLKeyStore (WKS) type internally. Loading actual PKCS12 files will fail.
+This can be helpful when FIPS compliance is required, but existing code gets
+a PKCS12 KeyStore instance - and this assumes the caller has the flexibility to
+actually load a real WKS KeyStore file into this KeyStore object. If this
+property is being set at runtime programatically, the wolfJCE provider services
+will need to be refreshed / reloaded, by doing:
+
+```
+WolfCryptProvider prov = (WolfCryptProvider)Security.getProvider("wolfJCE");
+prov.refreshServices();
+```
+
+#### System Property Support
+
+The following Java System properties can be set on the command line or
+programatically for JCE provider customization:
+
+| System Property | Default | To Enable | Description |
+| --- | --- | --- | --- |
+| wolfjce.debug | "false" | "true" | Enable wolfJCE debug logging |
+
 ### Algorithm Support:
 ---------
 
@@ -29,9 +88,14 @@ The JCE provider currently supports the following algorithms:
     MessageDigest Class
         MD5
         SHA-1
+        SHA-224
         SHA-256
         SHA-384
         SHA-512
+        SHA3-224
+        SHA3-256
+        SHA3-384
+        SHA3-512
 
     SecureRandom Class
         DEFAULT (maps to HashDRBG)
@@ -48,26 +112,49 @@ The JCE provider currently supports the following algorithms:
     Mac Class
         HmacMD5
         HmacSHA1
+        HmacSHA224
         HmacSHA256
         HmacSHA384
         HmacSHA512
+        HmacSHA3-224
+        HmacSHA3-256
+        HmacSHA3-384
+        HmacSHA3-512
 
     Signature Class
         MD5withRSA
         SHA1withRSA
+        SHA224withRSA
         SHA256withRSA
         SHA384withRSA
         SHA512withRSA
+        SHA3-224withRSA
+        SHA3-256withRSA
+        SHA3-384withRSA
+        SHA3-512withRSA
         SHA1withECDSA
+        SHA224withECDSA
         SHA256withECDSA
         SHA384withECDSA
         SHA512withECDSA
+        SHA3-224withECDSA
+        SHA3-256withECDSA
+        SHA3-384withECDSA
+        SHA3-512withECDSA
 
     KeyAgreement Class
         DiffieHellman
         DH
         ECDH
 
+    KeyGenerator
+        AES
+        HmacSHA1
+        HmacSHA224
+        HmacSHA256
+        HmacSHA384
+        HmacSHA512
+
     KeyPairGenerator Class
         RSA
         EC
@@ -87,6 +174,9 @@ The JCE provider currently supports the following algorithms:
         PBKDF2WithHmacSHA3-384
         PBKDF2WithHmacSHA3-512
 
+    KeyStore
+        WKS
+
 ### SecureRandom.getInstanceStrong()
 
 When registered as the highest priority security provider, wolfJCE will provide
@@ -104,6 +194,147 @@ securerandom.strongAlgorithms=HashDRBG:wolfJCE
 Note that the `securerandom.source` property in `java.security` has no affect
 on the wolfJCE provider.
 
+### WolfSSLKeyStore (WKS) Implementation Details and Usage
+
+wolfJCE implements one custom KeyStore class named WolfSSLKeyStore, represented
+as "WKS". If wolfJCE has been installed as a Security provider, this KeyStore
+can be used with:
+
+```
+KeyStore store = KeyStore.getInstance("WKS");
+```
+
+#### Algorithm Use and FIPS 140-2 / 140-3 Compatibility
+
+The WKS KeyStore has been designed to be compatible with wolfCrypt
+FIPS 140-2 and 140-3.
+
+PrivateKey and SecretKey objects stored are protected inside the KeyStore
+using AES-CBC-256 with HMAC-SHA512 in an Encrypt-then-MAC manner. PKCS#5
+PBKDF2-HMAC-SHA512 is used to generate 96 bytes of key material which is split
+between a 32-byte AES-CBC-256 key and 64-byte HMAC-SHA512 key.
+
+PBKDF2 salt is 16 bytes, randomly generated for each key storage operation
+PBKDF2 iteration count defaults to 210,000 (current OWASP recommendation), but
+is user overridable with wolfjce.wks.iterationCount Security property in
+java.security file. User password is converted from char[] to byte[] using
+UTF-8, consistent with how SunJCE uses UTF-8 for PBKDF2 SecretKeyFactory.
+AES-CBC IV is randomly generated for each key storage operation
+
+This KeyStore uses a different format that is not directly compatible with
+existing formats (ex: JKS, PKCS12, etc). Other KeyStore types will need to be
+converted over to WKS KeyStore objects for FIPS compliant use with wolfCrypt
+FIPS 140-2/3.
+
+#### Stored Object Compatibility
+
+The WKS KeyStore supports storage of PrivateKey, Certificate, and
+SecretKey objects.
+
+#### Converting Other KeyStore Formats to WKS
+
+The Java `keytool` application can be used to convert between KeyStore formats.
+This can be easily used to convert a JKS KeyStore into a WKS format KeyStore.
+
+The following example command would convert a KeyStore in JKS format named
+`server.jks` to a KeyStore in WKS format named `server.wks`:
+
+```
+keytool -importkeystore -srckeystore server.jks -destkeystore server.wks \
+    -srcstoretype JKS -deststoretype WKS \
+    -srcstorepass "pass" -deststorepass "pass" \
+    -provider com.wolfssl.provider.jce.WolfCryptProvider \
+    --providerpath /path/to/wolfcrypt-jni.jar
+```
+
+Additionally, wolfJCE provides a utility method `WolfCryptUtil.convertKeyStoreToWKS()` 
+that can be used programmatically to convert KeyStore formats. This method
+supports converting from JKS, PKCS12, and WKS formats to WKS format. When
+converting from WKS to WKS, the method efficiently returns the same input
+stream without performing any conversion.
+
+The method automatically detects the input KeyStore format and handles the
+conversion appropriately. It supports the following features:
+
+- Automatic format detection (WKS, JKS, PKCS12)
+- Preservation of all certificates and keys from the source KeyStore
+- Support for both key entries (with certificate chains) and certificate-only entries
+- Efficient handling of WKS input (returns same stream)
+- Proper stream handling with mark/reset support for large KeyStores
+
+**FIPS NOTE:** This utility method will call Sun provider code for JKS
+and PKCS12. This means that if using wolfCrypt FIPS, these calls will make
+calls into non-FIPS compliant cryptography for the conversion. Please take
+this into consideration when being used in a FIPS compliant environment.
+
+Example usage:
+
+```java
+import com.wolfssl.provider.jce.WolfCryptUtil;
+import java.io.InputStream;
+import java.security.KeyStore;
+
+/* Load your source KeyStore (JKS, PKCS12, or WKS) */
+InputStream sourceStream = ...;
+char[] password = "your_password".toCharArray();
+
+/* Convert to WKS format, fail on insert errors */
+InputStream wksStream = WolfCryptUtil.convertKeyStoreToWKS(sourceStream, password, true);
+
+/* Load the converted WKS KeyStore */
+KeyStore wksStore = KeyStore.getInstance("WKS", "wolfJCE");
+wksStore.load(wksStream, password);
+```
+
+The method respects the Security properties `wolfjce.mapJKStoWKS` and 
+`wolfjce.mapPKCS12toWKS` when performing conversions. If these properties are
+set to "true", the method will use reflection to find the Sun provider
+implementations for JKS and PKCS12 to use for conversion.
+
+To list entries inside a WKS keystore using the `keytool`, a command
+similar to the following can be used (with the `-list` option):
+
+```
+keytool -list -provider com.wolfssl.provider.jce.WolfCryptProvider \
+    --providerpath /path/to/wolfcrypt-jni.jar \
+    -storetype WKS -storepass "pass" -keystore server.wks
+```
+
+If running the above commands gives an error about the native wolfcryptjni
+shared library not being found, you may need to add the library location
+to `LD_LIBRARY_PATH` (Linux) or `DYLD_LIBRARY_PATH` (Mac OSX), ie:
+
+```
+export LD_LIBRARY_PATH=/path/to/libwolfcryptjni.so:$LD_LIBRARY_PATH
+```
+
+#### Converting System cacerts to WKS Format KeyStore
+
+For FIPS compatibility, users who do not want to use non-wolfSSL KeyStore
+implementations (ex: JKS) may need to convert the system cacerts or
+jssecacerts KeyStore to WKS format. This can be done using the keytool
+command as described above (default password for cacerts is 'changeit'), or
+the helper script located in this package at:
+
+```
+examples/certs/systemcerts/system-cacerts-to-wks.sh
+```
+
+This is a shell script that takes no arguments. It tries to detect the
+location of the active Java installation and converts `cacerts` and/or
+`jssecacerts` to WKS format if they are found. Converted KeyStores are placed
+under the same directory as the script, specifically:
+
+```
+examples/certs/systemcerts/cacerts.wks
+examples/certs/systemcerts/jssecacerts.wks
+```
+
+#### Design Notes
+
+More complete design documentation can be found in
+[docs/WolfSSLKeyStore.md](./docs/design/WolfSSLKeyStore.md).
+
 ### Example / Test Code
 ---------
 
@@ -133,6 +364,55 @@ The example can then be run using:
 $ ./examples/provider/ProviderTest.sh
 ```
 
+**CryptoBenchmark**
+
+This example benchmarks the performance of cryptographic operations using the
+wolfJCE provider. It tests AES-CBC with 256-bit key encryption/decryption
+operations.
+
+Build and run:
+
+```
+# From wolfcrypt-jni root directory
+make                      # Build native library
+ant build-jce-release     # Build JCE JAR
+
+# Run benchmark
+./examples/provider/CryptoBenchmark.sh
+```
+
+This script requires for `JAVA_HOME` to be set.
+
+For Bouncy Castle comparison testing:
+
+CryptoBenchmark.sh will prompt with the following:
+
+```
+Would you like to download Bouncy Castle JARs? (y/n)
+```
+
+If you respond with 'y', the script will download the Bouncy Castle JARs and
+run the benchmark with Bouncy Castle. At the end of the benchmark, the script
+will prompt whether or not to remove the Bouncy Castle JAR files.
+
+If you prefer to download the JARs manually, follow the instructions below:
+
+Visit [bouncy-castle-java](https://www.bouncycastle.org/download/bouncy-castle-java/)
+
+Download:
+
+```
+bcprov-jdk18on-1.79.jar # Bouncy Castle Provider
+bctls-jdk18on-1.79.jar  # Bouncy Castle DTLS/TLS API/JSSE Provider
+```
+
+Copy jar files to wolfcrypt-jni/lib/:
+
+```
+cp bcprov-jdk18on-1.79.jar wolfcrypt-jni/lib
+cp bctls-jdk18on-1.79.jar wolfcrypt-jni/lib
+```
+
 ### JAR Code Signing
 ---------
 
@@ -151,7 +431,7 @@ ant build system, please see the main README.md included in this package.
 wolfSSL (company) has it's own set of code signing certificates from Oracle
 that allow wolfJCE to be authenticated in the Oracle JDK.  With each release
 of wolfJCE, wolfSSL ships a couple pre-signed versions of the
-‘wolfcrypt-jni.jar”, located at:
+'wolfcrypt-jni.jar", located at:
 
 wolfcrypt-jni-X.X.X/lib/signed/debug/wolfcrypt-jni.jar
 wolfcrypt-jni-X.X.X/lib/signed/release/wolfcrypt-jni.jar

build.xml

@@ -19,14 +19,14 @@
     <!-- versioning/manifest properties -->
     <property name="implementation.vendor"  value="wolfSSL Inc." />
     <property name="implementation.title"   value="wolfCrypt JNI" />
-    <property name="implementation.version" value="1.6" />
+    <property name="implementation.version" value="1.8" />
 
     <!-- set properties for this build -->
     <property name="src.dir" value="src/main/java/" />
     <property name="jni.dir" value="jni/include/" />
     <property name="lib.dir" value="lib/" />
     <property name="build.dir" value="build" />
-    <property name="doc.dir" value="docs" />
+    <property name="doc.dir" value="docs/javadoc" />
     <property name="test.dir" value="src/test/java/" />
     <property name="test.build.dir" value="build/test" />
     <property name="reports.dir" value="build/reports" />
@@ -86,6 +86,9 @@
         <delete failonerror="false">
             <fileset dir="${lib.dir}" includes="wolfcrypt-jni.jar" />
         </delete>
+        <delete includeemptydirs="true" failonerror="false">
+            <fileset dir="${doc.dir}" includes="**/*"/>
+        </delete>
     </target>
 
     <!-- set javac flags: debug jar, no optimization, all debug symbols -->
@@ -111,6 +114,7 @@
     <target name="init" depends="clean, debug-javac-flags, release-javac-flags">
         <mkdir dir="${build.dir}" />
         <mkdir dir="${lib.dir}" />
+        <mkdir dir="${doc.dir}" />
         <mkdir dir="${test.build.dir}" />
         <mkdir dir="${reports.dir}" />
         <mkdir dir="${examples.provider.build.dir}" />

docs/design/WolfSSLKeyStore.md

@@ -0,0 +1,256 @@
+
+# wolfSSL KeyStore (WKS) Design Notes
+
+The WKS KeyStore format was designed to be compatible with wolfCrypt FIPS
+140-2 and 140-3, meaning it utilizes FIPS validated cryptographic algorithms.
+This document includes notes on the design and algorithm choices used by WKS.
+For details on the wolfCrypt FIPS 140-2/3 cryptographic module and boundary,
+please reference the appropriate Security Policy or contact fips@wolfssl.com.
+
+## User Customizable Properties
+
+| Security Property | Default | Min | Description |
+| --- | --- | --- | --- |
+| `wolfjce.wks.iterationCount` | 210,000 | 10,000 | PBKDF2 iteration count |
+| `wolfjce.wks.maxCertChainLength` | 100 | N/A | Max cert chain length |
+
+## Notes on Algorithm and Security Properties
+
+PBKDF2-HMAC-SHA512 was chosen over PBKDF2-HMAC-SHA256 for AES and HMAC key
+generation to allow use of fewer iterations (210,000, as per current
+[OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2)) versus the recommended 600,000 for SHA-256.
+
+PBKDF2 salt size of 128-bits (16 bytes) is used to follow recommendations
+in [NIST SP 800-132, Page 6](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf).
+
+AES-CBC (AES/CBC/PKCS5Padding) was chosen over AES-GCM since AES-GCM requires
+that each {key,nonce} combination be unique. Simply generating a random nonce
+via RNG does not guarantee uniqueness, and we have no way of maintaining an
+accurate counter across KeyStore objects and store/load operations.
+
+Different keys are used for PrivateKey/SecretKey encryption and HMAC, and
+derived from one larger PBKDF2 operation (96 bytes) then split between
+encryption (32-byte key) and HMAC (64-byte key) operations. A
+random salt is generated for each PBKDF2 key generation operation.
+
+HMAC values are calculated over content but also the PBKDF2 salt length,
+salt, and iteration count, and all other key parameters (ex: IV and length) to
+also include those in the integrity check.
+
+## KeyStore Integrity
+
+### HMAC Generation During KeyStore Storage
+
+When WKS KeyStore objects are stored (`engineStore()`), the following format
+is used. This is composed of a *HEADER* section, an *ENTRIES* section, followed
+lastly by an HMAC generated over the *HEADER* and *ENTRIES*, including the
+PBKDF2 salt, salt length, and iteration count.
+
+The *HEADER* includes a magic number specific to the WKS KeyStore type (`7`), a
+WKS KeyStore version (may be incremented in the future as features are added
+or if the WKS type definition changes), and a count of the entries included in
+the store.
+
+The *ENTRIES* section is made up of one or more `WKSPrivateKey`,
+`WKSSecretKey`, or `WKSCertificate` entries. These represent the storage of
+a `PrivateKey`, `SecretKey`, and `Certificate` objects respectively.
+
+Generation of the HMAC happens during a call to
+`engineStore(OutputStream stream, char[] password)` and is generated in the
+following manner:
+
+- Input password must not be null or zero length
+- Input password is converted from `char[]` into `byte[]` using password
+conversion algorithm described below.
+- Random salt of size `WKS_PBKDF2_SALT_SIZE` (128 bits) is generated
+- HMAC-SHA512 key (64-bytes) is generated with PBKDF2-HMAC-SHA512 using:
+    + Password byte array
+    + Random 16-byte salt (`WKS_PBKDF2_SALT_SIZE`)
+    + 210,000 iterations (`WKS_PBKDF2_ITERATION_COUNT`), but can be overriden
+      by user by setting `wolfjce.wks.iterationCount` Security property.
+      Minimum iteration count is 10,000.
+- The final HMAC-SHA512 is calculated using the derived key over the bytes of
+*HEADER*, *ENTRIES*, salt length, salt, and iteration count. It is then
+written out to the OutputStream.
+
+### HMAC Verification During KeyStore Load
+
+When a WKS KeyStore is loaded with
+`engineLoad(InputStream stream, char[] password)`, the input password is
+optional. If a password is provided, the KeyStore integrity will be checked
+using the included HMAC, otherwise the integrity check will be skipped.
+This design is to maintain consistency with how the Java JKS format handles
+integrity checks upon KeyStore load, and allows for easy conversion and use
+of files such as `cacerts` to a WKS type where users do not normally provide
+the password when loading the KeyStore file.
+
+Since the HMAC is stored at the end of the KeyStore stream, `engineLoad()`
+buffers KeyStore bytes as they are read in, up to and including the PBKDF2
+salt size, salt, and PBKDF2 iteration count. Once all entries have been read,
+the HMAC is read and verified:
+- The salt length is read, sanitized against `WKS_PBKDF2_SALT_SIZE`
+- The salt is read
+- The PBKDF2 iteration count is read, and checked against min size of
+`WKS_PBKDF2_MIN_ITERATIONS`
+- Caching of data is paused while the HMAC is read in next
+- The original HMAC length is read
+- An HMAC-SHA512 is regenerated over the buffered header and entry bytes
+    + Password is converted from char[] to byte[] as explained below
+    + An HMAC-SHA512 key (64-bytes) is calculated as explained above, using
+      salt that was read from input KeyStore stream
+    + The generated HMAC value is calculated using this key
+- The generated HMAC is compared in both size and contents against the stored
+HMAC. If these are different, an IOException is thrown.
+
+### Stored WKS format:
+
+```
+ *   HEADER:
+ *     magicNumber                       (int / 7)
+ *     keystoreVersion                   (int)
+ *     entryCount                        (int)
+ *   ENTRIES (can be any of below, depending on type)
+ *     [WKSPrivateKey]
+ *       entryId                         (int / 1)
+ *       alias                           (UTF String)
+ *       creationDate.getTime()          (long)
+ *       kdfSalt.length                  (int)
+ *       kdfSalt                         (byte[])
+ *       kdfIterations                   (int)
+ *       iv.length                       (int)
+ *       iv                              (byte[])
+ *       encryptedKey.length             (int)
+ *       encryptedKey                    (byte[])
+ *       chain.length                    (int)
+ *       FOR EACH CERT:
+ *         chain[i].getType()            (UTF String)
+ *         chain[i].getEncoded().length  (int)
+ *         chain[i].getEncoced()         (byte[])
+ *       hmac.length                     (int)
+ *       hmac (HMAC-SHA512)              (byte[])
+ *     [WKSSecretKey]
+ *       entryId                         (int / 3)
+ *       alias                           (UTF String)
+ *       creationDate.getTime()          (long)
+ *       key.getAlgorithm()              (UTF String)
+ *       kdfSalt.length                  (int)
+ *       kdfIterations                   (int)
+ *       kdfSalt                         (byte[])
+ *       iv.length                       (int)
+ *       iv                              (byte[])
+ *       encryptedKey.length             (int)
+ *       encryptedKey                    (byte[])
+ *       hmac.length                     (int)
+ *       hmac (HMAC-SHA512)              (byte[])
+ *     [WKSCertificate]
+ *       entryId                         (int / 2)
+ *       alias                           (UTF String)
+ *       creationDate.getTime()          (long)
+ *       cert.getType()                  (UTF String)
+ *       cert.getEncoded().length        (int)
+ *       cert.getEncoced()               (byte[])
+ *   HMAC PBKDF2 salt length             int
+ *   HMAC PBKDF2 salt                    (byte[])
+ *   HMAC PBKDF2 iterations              int
+ *   HMAC length                         int
+ *   HMAC (HMAC-SHA512)                  (byte[])
+```
+
+## PrivateKey Protection
+
+A PrivateKey entry is stored into the KeyStore with the `engineSetKeyEntry()`
+method, exposed publicly through `KeyStore` as `setKeyEntry()`, when
+passing in a `Key` of type `PrivateKey`. The password argument is not allowed
+to be null, otherwise a KeyStoreException is thrown.
+
+```
+void setKeyEntry(String alias, Key key, char[] password, Certificate[] chain)
+```
+
+Process of storing a PrivateKey is as follows:
+- Sanity check the certificate chain:
+    + Chain is not null or zero length chain
+    + Chain is made up of X509Certificate objects
+    + Chain cert signatures are correct as we walk up the chain. The cert
+      chain should be ordered from leaf cert (entity) to top-most intermedate
+      certificate. The last cert is loaded as a trusted root, and used to
+      verify the rest of the chain, since we don't have the root CA cert
+      available at this point.
+- Verify private key (`Key key`) matches the leaf certificate (`chain[0]`)
+- Encrypt private key before storing into KeyStore map:
+    + Generate random PBKDF2 salt, of size `WKS_PBKDF2_SALT_SIZE` bytes
+    + Generate random IV, of size `WKS_ENC_IV_LENGTH` bytes
+    + Convert password from char[] into byte[] using password conversion
+      algorithm described below.
+    + Encryption key is derived using PBKDF2-SHA256 using byte array, random
+      salt, and `WKS_PBKDF2_ITERATION_COUNT` (or customized) iteration count.
+        - 96-byte key is generated with PBKDF2 in total, split between 32-byte
+          AES-CBC-256 and 64-byte HMAC-SHA512 keys.
+    + Encrypt key bytes using AES-CBC-256
+    + Generate HMAC-SHA512 over encrypted key and other WKSPrivateKey
+      object members
+    + Zeroize KEK and HMAC keys (generated from PBKDF2)
+
+When importing a PrivateKey from a KeyStore stream, the process is reversed.
+Initially during `engineLoad()`, parameters are read in as well as the encrypted
+key:
+- Read PBKDF2 salt length, sanity check against `WKS_PBKDF2_SALT_SIZE`
+- Read PBKDF2 salt
+- Read PBKDF2 iterations, sanity check against `WKS_PBKDF2_MIN_ITERATIONS`
+- Read encryption IV, santiy check against `WKS_ENC_IV_LENGTH`
+- Read encrypted key
+- Read certificate chain if present, check length against `WKS_MAX_CHAIN_COUNT`
+- Read HMAC value into object variable, will be checked when user gets key out
+
+The PrivateKey is stored encrypted internal to the WolfSSLKeyStore until
+a caller retrieves it with `getKey()`. At that point, WolfSSLKeyStore:
+- Derives the decryption key using PBKDF2-SHA256
+    + Converts password from `char[]` to `byte[]` using algorithm below
+    + Uses salt and iteration count stored internally from encryption
+      process or read from KeyStore stream after loading
+    + Derives decryption key and HMAC key with PBKDF2-HMAC-SHA512
+    + Regenerate and verify HMAC against stored value
+    + Decrypts key using AES-CBC-256
+    + Zeroizes KEK and HMAC keys (generated from PBKDF2)
+
+## SecretKey Protection
+
+A SecretKey entry is stored into the KeyStore with the `engineSetKeyEntry()`
+method, exposed publicly through `KeyStore` as `setKeyEntry()`, when
+passing in a `Key` of type `SecretKey`. The password argument is not allowed
+to be null, otherwise a KeyStoreException is thrown.
+
+```
+void setKeyEntry(String alias, Key key, char[] password, Certificate[] chain)
+```
+
+Process of storing a SecretKey is the same as PrivateKey above, except
+there is no certificate so no certifiate or private key sanity checks are done.
+The same encrypt/decrypt process is shared between PrivateKey and SecretKey
+protection.
+
+## Certificate Protection
+
+A Certificate entry is stored into the KeyStore with the
+`engineSetCertificateEntry()` method. Certificate entries are not protected
+and are stored directly into the KeyStore.
+
+They are integrity protected by the KeyStore HMAC when a KeyStore is written
+out to a stream with `engineStore()`, but otherwise have no internal
+encryption or integrity protection since no password is provided when storing
+certificates.
+
+## Password Conversion Algorithm
+
+The Java KeyStore class specifies that passwords are provided by the user as a
+Java character array (`char[]`). Before using a password as input to PBKDF2,
+wolfJCE is converts it into a byte array. In Java, one character (`char`) is
+composed of two bytes (`byte`). RFC 2898 (PBKDF2) considers a password to be an
+octet string and recommends for interop ASCII or UTF-8 encoding be used. SunJCE
+uses UTF-8 for PBKDF2 SecretKeyFactory, so we do the same in WolfSSLKeyStore
+using `WolfCryptSecretKeyFactory.passwordToByteArray(char[])`.
+
+# Support
+
+Please email support@wolfssl.com with any questions.
+

examples/WindowsConfig.bat

@@ -9,7 +9,7 @@
 :: included by other example .bat files.
 
 :: wolfSSL Normal non-FIPS (DLL Debug x64)
-SET WOLFSSL_DLL_DIR=..\..\..\wolfssl\IDE\WIN10\DLL Debug\x64
+SET WOLFSSL_DLL_DIR=..\..\..\wolfssl\DLL Debug\x64
 SET WOLFCRYPTJNI_DLL_DIR=..\..\IDE\WIN\DLL Debug\x64
 
 :: wolfSSL Normal non-FIPS (DLL Release x64)

examples/certs/README.md

@@ -26,18 +26,28 @@ the example Java KeyStore files, see the next section.
 
 ## Updating Example Java KeyStore Files
 
-To update the example Java KeyStore files, use the provided `update-jks.sh`
+To update the example Java KeyStore files, use the provided `update-jks-wks.sh`
 bash script. This script requires one argument on the command line which is
 the location of the wolfSSL proper certs directory.
 
+This script will create new KeyStore files from original certificates. It will
+first create JKS KeyStore files, then convert those to WKS (WolfSSLKeyStore)
+format.
+
 ```
 $ cd wolfcryptjni/examples/certs
-$ ./update-jks.sh /path/to/wolfssl/certs
+$ ./update-jks-wks.sh /path/to/wolfssl/certs
 ```
 
-This script only updates the example .jks files and not the individual
+This script only updates the example .jks and .wks files and not the individual
 .pem or .der files in this directory. For that, please see the above section.
 
+## Testing that Java keytool can read/parse WKS files
+
+To confirm that Java keytool can parse WolfSSLKeyStore (WKS) format stores OK,
+the `keytool-print-wks.sh` script can be used. This will call `keytool -list`
+on each WKS KeyStore which is expected to pass successfully.
+
 ## Support
 
 Please contact the wolfSSL support team at support@wolfssl.com with any

examples/certs/crl/cliCrl.pem

@@ -2,41 +2,41 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Last Update: Dec 13 22:19:33 2023 GMT
-        Next Update: Sep  8 22:19:33 2026 GMT
+        Last Update: Jan  9 00:34:30 2024 GMT
+        Next Update: Oct  5 00:34:30 2026 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 8
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Dec 13 22:19:33 2023 GMT
+        Revocation Date: Jan  9 00:34:30 2024 GMT
     Signature Algorithm: sha256WithRSAEncryption
-         74:17:9b:40:81:d2:a0:f3:26:68:44:5b:f8:a2:6c:3f:7e:71:
-         75:a2:7f:c6:e6:71:cb:f9:08:57:42:cd:3e:3f:ab:cd:0c:85:
-         36:45:58:8b:59:28:81:d9:b0:6b:10:4a:d0:7d:59:ad:cf:53:
-         05:cb:13:c7:c1:ec:65:64:6b:4d:e6:87:0b:ae:06:60:ab:8a:
-         3c:ae:c1:7d:ed:8f:ee:09:02:7a:3a:f2:21:bf:89:ef:cd:14:
-         b1:03:64:2d:b2:b6:45:15:da:2d:ee:2d:c0:15:3b:a8:01:a8:
-         4f:30:61:ae:99:b9:16:07:b5:8b:71:8f:38:ac:69:82:39:90:
-         92:ff:d6:41:33:3b:92:5b:f2:dd:56:5a:8f:82:d1:1f:76:ee:
-         ca:01:a2:ac:c0:22:41:dd:6e:e1:ce:06:b0:6f:bc:e2:da:91:
-         11:c1:a0:41:16:7d:ba:7e:a1:53:13:14:4b:54:3b:b9:44:cf:
-         4f:1c:ef:ce:a8:bd:e8:ab:ba:de:97:f7:b7:7d:4f:ab:7a:e7:
-         73:65:97:a1:d9:a3:f3:92:f1:95:06:6d:52:7b:6e:fd:26:56:
-         55:83:c7:71:f7:a4:8f:9a:2c:52:04:dd:9f:85:ab:9c:88:e1:
-         30:c6:4a:88:7d:20:1b:c6:47:8b:82:cc:9d:0f:51:69:b1:90:
-         b2:8a:9c:74
+         52:11:97:57:04:d7:e2:14:1f:c4:7f:a2:d8:cf:4c:b7:5b:0c:
+         d3:ac:ca:29:10:74:09:2f:3d:fb:4d:75:3e:32:21:5a:0f:41:
+         5f:cc:e7:98:f8:ea:8e:e2:c9:57:60:b6:a3:b0:70:10:18:b9:
+         86:a3:65:1e:3a:88:13:df:44:18:15:51:00:f6:33:d6:ab:90:
+         18:93:df:ac:7d:15:5c:6a:63:55:d1:4d:41:37:03:89:86:65:
+         fa:fb:d7:b1:73:db:c3:43:08:ff:89:94:89:b1:b4:ad:96:78:
+         52:92:50:8c:0a:5d:ca:29:8b:e0:bc:ca:88:c0:7a:52:48:d3:
+         cf:09:03:08:5f:a1:b9:16:b0:55:5e:11:60:7f:73:9a:98:05:
+         54:97:bf:eb:0e:04:61:4f:b4:40:23:61:9a:07:69:78:fc:16:
+         de:f4:54:04:cf:f0:2b:07:8d:51:9e:6b:b5:77:c4:13:2c:a3:
+         40:99:ed:fa:f4:00:4a:45:36:da:52:9d:dc:88:66:3e:03:f0:
+         20:ce:54:a4:56:58:a8:9e:30:78:e8:42:2d:a8:0f:9b:c4:a9:
+         ab:13:c2:4e:ec:be:2e:99:16:56:2f:22:86:96:27:1d:30:80:
+         7d:a5:f8:45:ef:93:b4:63:13:96:4f:6a:df:a0:11:3b:52:be:
+         93:03:7a:81
 -----BEGIN X509 CRL-----
 MIICDjCB9wIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVVMxEDAOBgNV
 BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xf
 MjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMzEy
-MTMyMjE5MzNaFw0yNjA5MDgyMjE5MzNaMBQwEgIBAhcNMjMxMjEzMjIxOTMzWqAO
-MAwwCgYDVR0UBAMCAQgwDQYJKoZIhvcNAQELBQADggEBAHQXm0CB0qDzJmhEW/ii
-bD9+cXWif8bmccv5CFdCzT4/q80MhTZFWItZKIHZsGsQStB9Wa3PUwXLE8fB7GVk
-a03mhwuuBmCrijyuwX3tj+4JAno68iG/ie/NFLEDZC2ytkUV2i3uLcAVO6gBqE8w
-Ya6ZuRYHtYtxjzisaYI5kJL/1kEzO5Jb8t1WWo+C0R927soBoqzAIkHdbuHOBrBv
-vOLakRHBoEEWfbp+oVMTFEtUO7lEz08c786oveirut6X97d9T6t653Nll6HZo/OS
-8ZUGbVJ7bv0mVlWDx3H3pI+aLFIE3Z+Fq5yI4TDGSoh9IBvGR4uCzJ0PUWmxkLKK
-nHQ=
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNDAx
+MDkwMDM0MzBaFw0yNjEwMDUwMDM0MzBaMBQwEgIBAhcNMjQwMTA5MDAzNDMwWqAO
+MAwwCgYDVR0UBAMCAQgwDQYJKoZIhvcNAQELBQADggEBAFIRl1cE1+IUH8R/otjP
+TLdbDNOsyikQdAkvPftNdT4yIVoPQV/M55j46o7iyVdgtqOwcBAYuYajZR46iBPf
+RBgVUQD2M9arkBiT36x9FVxqY1XRTUE3A4mGZfr717Fz28NDCP+JlImxtK2WeFKS
+UIwKXcopi+C8yojAelJI088JAwhfobkWsFVeEWB/c5qYBVSXv+sOBGFPtEAjYZoH
+aXj8Ft70VATP8CsHjVGea7V3xBMso0CZ7fr0AEpFNtpSndyIZj4D8CDOVKRWWKie
+MHjoQi2oD5vEqasTwk7svi6ZFlYvIoaWJx0wgH2l+EXvk7RjE5ZPat+gETtSvpMD
+eoE=
 -----END X509 CRL-----

examples/certs/crl/crl.pem

@@ -2,40 +2,40 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Last Update: Dec 13 22:19:33 2023 GMT
-        Next Update: Sep  8 22:19:33 2026 GMT
+        Last Update: Jan  9 00:34:30 2024 GMT
+        Next Update: Oct  5 00:34:30 2026 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 2
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Dec 13 22:19:33 2023 GMT
+        Revocation Date: Jan  9 00:34:30 2024 GMT
     Signature Algorithm: sha256WithRSAEncryption
-         48:36:98:18:42:9c:0c:81:51:19:75:4b:26:9a:e0:07:18:89:
-         a2:a1:bd:b6:4e:91:f2:44:93:1a:50:a1:8f:72:1f:c4:ae:99:
-         81:c5:00:3a:94:03:de:00:24:98:d4:2c:17:e5:ba:f2:29:3a:
-         43:c8:23:ba:73:6a:5c:99:5d:ba:80:dd:bd:4f:cd:53:a6:cf:
-         33:11:31:30:27:e2:d2:31:06:65:b8:3e:cf:fe:00:21:ff:0d:
-         18:4f:fc:fd:d5:80:75:72:7c:2e:44:c1:a1:26:a6:8a:88:c8:
-         c0:66:1a:d4:99:36:ca:8f:67:42:8f:7c:f2:1a:e7:1b:d0:90:
-         05:22:0d:29:d3:35:57:23:8c:bb:d2:53:c1:a8:00:3c:d4:b3:
-         97:23:8a:4f:1d:8b:c9:73:6a:96:40:b0:a4:b1:c7:de:06:4d:
-         a3:5d:6a:d2:f5:5c:1e:f0:21:0f:d1:fd:21:89:e2:9e:3d:c1:
-         b2:f0:0f:5e:79:1e:47:48:92:bf:eb:96:28:ad:0b:89:5e:3b:
-         ed:97:29:bb:8d:24:c2:e6:26:e5:33:ef:88:17:c1:1a:97:fa:
-         51:44:a2:cc:b2:64:e5:5c:94:54:ed:3b:7d:8f:34:4a:4b:d3:
-         ca:62:f9:20:00:86:26:ea:1b:a9:b4:df:8f:f4:4d:d8:3e:95:
-         aa:3b:43:1c
+         b3:6f:ed:72:d2:73:6a:77:bf:3a:55:bc:54:18:6a:71:bc:6a:
+         cc:cd:5d:90:f5:64:8d:1b:f0:e0:48:7b:f2:7b:06:86:53:63:
+         9b:d8:24:15:10:b1:19:96:9b:d2:75:a8:25:a2:35:a9:14:d6:
+         d5:5e:53:e3:34:9d:f2:8b:07:19:9b:1f:f1:02:0f:04:46:e8:
+         b8:b6:f2:8d:c7:c0:15:3e:3e:8e:96:73:15:1e:62:f6:4e:2a:
+         f7:aa:a0:91:80:12:7f:81:0c:65:cc:38:be:58:6c:14:a5:21:
+         a1:8d:f7:8a:b9:24:f4:2d:ca:c0:67:43:0b:c8:1c:b4:7d:12:
+         7f:a2:1b:19:0e:94:cf:7b:9f:75:a0:08:9a:67:3f:87:89:3e:
+         f8:58:a5:8a:1b:2d:da:9b:d0:1b:18:92:c3:d2:6a:d7:1c:fc:
+         45:69:77:c3:57:65:75:99:9e:47:2a:20:25:ef:90:f2:5f:3b:
+         7d:9c:7d:00:ea:92:54:eb:0b:e7:17:af:24:1a:f9:7c:83:50:
+         68:1d:dc:5b:60:12:a7:52:78:d9:a9:b0:1f:59:48:36:c7:a6:
+         97:34:c7:87:3f:ae:fd:a9:56:5d:48:cc:89:7a:79:60:8f:9b:
+         2b:63:3c:b3:04:1d:5f:f7:20:d2:fd:f2:51:b1:96:93:13:5b:
+         ab:74:82:8b
 -----BEGIN X509 CRL-----
 MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMxEDAOBgNV
 BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3Ro
 MRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIzMTIxMzIyMTkzM1oX
-DTI2MDkwODIyMTkzM1owFDASAgECFw0yMzEyMTMyMjE5MzNaoA4wDDAKBgNVHRQE
-AwIBAjANBgkqhkiG9w0BAQsFAAOCAQEASDaYGEKcDIFRGXVLJprgBxiJoqG9tk6R
-8kSTGlChj3IfxK6ZgcUAOpQD3gAkmNQsF+W68ik6Q8gjunNqXJlduoDdvU/NU6bP
-MxExMCfi0jEGZbg+z/4AIf8NGE/8/dWAdXJ8LkTBoSamiojIwGYa1Jk2yo9nQo98
-8hrnG9CQBSINKdM1VyOMu9JTwagAPNSzlyOKTx2LyXNqlkCwpLHH3gZNo11q0vVc
-HvAhD9H9IYninj3BsvAPXnkeR0iSv+uWKK0LiV477Zcpu40kwuYm5TPviBfBGpf6
-UUSizLJk5VyUVO07fY80SkvTymL5IACGJuobqbTfj/RN2D6VqjtDHA==
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTI0MDEwOTAwMzQzMFoX
+DTI2MTAwNTAwMzQzMFowFDASAgECFw0yNDAxMDkwMDM0MzBaoA4wDDAKBgNVHRQE
+AwIBAjANBgkqhkiG9w0BAQsFAAOCAQEAs2/tctJzane/OlW8VBhqcbxqzM1dkPVk
+jRvw4Eh78nsGhlNjm9gkFRCxGZab0nWoJaI1qRTW1V5T4zSd8osHGZsf8QIPBEbo
+uLbyjcfAFT4+jpZzFR5i9k4q96qgkYASf4EMZcw4vlhsFKUhoY33irkk9C3KwGdD
+C8gctH0Sf6IbGQ6Uz3ufdaAImmc/h4k++Filihst2pvQGxiSw9Jq1xz8RWl3w1dl
+dZmeRyogJe+Q8l87fZx9AOqSVOsL5xevJBr5fINQaB3cW2ASp1J42amwH1lINsem
+lzTHhz+u/alWXUjMiXp5YI+bK2M8swQdX/cg0v3yUbGWkxNbq3SCiw==
 -----END X509 CRL-----

examples/certs/crl/crl.revoked

@@ -2,43 +2,43 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Last Update: Dec 13 22:19:33 2023 GMT
-        Next Update: Sep  8 22:19:33 2026 GMT
+        Last Update: Jan  9 00:34:30 2024 GMT
+        Next Update: Oct  5 00:34:30 2026 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 3
 Revoked Certificates:
     Serial Number: 01
-        Revocation Date: Dec 13 22:19:33 2023 GMT
+        Revocation Date: Jan  9 00:34:30 2024 GMT
     Serial Number: 02
-        Revocation Date: Dec 13 22:19:33 2023 GMT
+        Revocation Date: Jan  9 00:34:30 2024 GMT
     Signature Algorithm: sha256WithRSAEncryption
-         72:6e:a4:64:36:6b:e8:e0:c5:1d:98:ef:ab:7e:7a:14:f2:8d:
-         99:d0:57:4b:76:ac:f4:89:60:cd:89:23:9d:01:34:f3:83:e5:
-         82:21:b3:48:c4:42:25:7f:ea:9f:74:5f:e8:b8:d6:71:bb:a2:
-         39:d8:ef:46:a8:13:ba:7d:44:ab:d6:13:65:18:de:b5:03:85:
-         a7:c6:4f:0a:a0:6a:78:ba:7b:f7:ce:6e:ba:1c:ef:6f:b1:04:
-         a8:ac:c6:de:3b:76:77:3e:3d:8b:ae:8b:2b:7e:c9:4f:77:31:
-         7f:1f:f5:04:2c:e9:cf:a1:56:c2:59:e9:be:49:9f:e8:67:a3:
-         42:66:05:21:02:64:82:b2:74:a7:4b:89:89:7d:43:1a:41:fd:
-         53:8c:d6:4f:27:04:2a:48:6b:9e:62:fa:4a:42:83:22:53:3f:
-         53:07:4f:bc:cd:8d:8d:cc:15:c6:ff:3c:af:7d:db:ab:dd:fa:
-         8f:65:86:86:2a:89:5e:3f:d5:4b:39:80:78:3f:6e:38:3b:6d:
-         a5:5e:2c:9e:1d:2f:9c:62:12:b1:34:f2:95:64:37:dc:4b:20:
-         dc:27:f3:de:81:67:b2:04:b0:14:b9:47:e3:65:e3:2f:35:27:
-         c2:fc:22:db:24:bd:04:58:88:17:e3:42:3c:a5:ef:53:39:15:
-         54:52:ac:a1
+         35:50:96:da:71:71:90:d5:b7:37:5a:a6:b9:09:07:2f:af:c9:
+         e0:02:32:6a:43:6e:20:ec:20:a4:ac:d0:39:a9:19:35:d0:d2:
+         6f:bb:d1:cd:46:10:a7:cb:8a:be:0a:02:a2:91:f5:29:74:ee:
+         34:83:a3:8c:a0:ca:39:af:94:4a:23:d7:56:57:6b:cc:c6:eb:
+         b0:ce:9f:0a:e1:b0:a8:12:6b:6a:8b:21:73:22:6f:49:41:cd:
+         fd:85:44:d1:fa:52:6b:2f:b2:2b:02:e7:43:0e:f1:92:bc:15:
+         8f:22:28:49:25:69:93:d8:50:10:2f:93:e2:f5:b0:31:5c:eb:
+         1a:35:e2:40:83:25:87:55:4d:c0:85:06:37:9e:23:44:80:a1:
+         f9:e2:eb:9c:90:28:7a:71:d8:55:a2:8b:70:32:31:33:26:70:
+         fe:1d:11:d5:4b:c1:04:47:19:59:44:8f:0b:0a:ec:d6:62:40:
+         8a:6f:67:2e:6a:50:38:54:35:c9:f8:d5:ec:e8:ae:93:88:3d:
+         a0:40:81:2c:e0:fe:f7:c8:68:24:8e:41:04:88:af:94:82:97:
+         75:e5:69:4c:22:1d:f9:67:53:a3:4c:a3:db:bf:55:08:e7:3a:
+         07:67:a2:28:25:63:af:f8:0e:c7:d3:c1:77:ef:20:20:20:63:
+         9e:5c:22:81
 -----BEGIN X509 CRL-----
 MIICGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
 VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
 aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
-MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMzEyMTMyMjE5MzNa
-Fw0yNjA5MDgyMjE5MzNaMCgwEgIBARcNMjMxMjEzMjIxOTMzWjASAgECFw0yMzEy
-MTMyMjE5MzNaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG9w0BAQsFAAOCAQEAcm6k
-ZDZr6ODFHZjvq356FPKNmdBXS3as9IlgzYkjnQE084PlgiGzSMRCJX/qn3Rf6LjW
-cbuiOdjvRqgTun1Eq9YTZRjetQOFp8ZPCqBqeLp7985uuhzvb7EEqKzG3jt2dz49
-i66LK37JT3cxfx/1BCzpz6FWwlnpvkmf6GejQmYFIQJkgrJ0p0uJiX1DGkH9U4zW
-TycEKkhrnmL6SkKDIlM/UwdPvM2NjcwVxv88r33bq936j2WGhiqJXj/VSzmAeD9u
-ODttpV4snh0vnGISsTTylWQ33Esg3Cfz3oFnsgSwFLlH42XjLzUnwvwi2yS9BFiI
-F+NCPKXvUzkVVFKsoQ==
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNDAxMDkwMDM0MzBa
+Fw0yNjEwMDUwMDM0MzBaMCgwEgIBARcNMjQwMTA5MDAzNDMwWjASAgECFw0yNDAx
+MDkwMDM0MzBaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG9w0BAQsFAAOCAQEANVCW
+2nFxkNW3N1qmuQkHL6/J4AIyakNuIOwgpKzQOakZNdDSb7vRzUYQp8uKvgoCopH1
+KXTuNIOjjKDKOa+USiPXVldrzMbrsM6fCuGwqBJraoshcyJvSUHN/YVE0fpSay+y
+KwLnQw7xkrwVjyIoSSVpk9hQEC+T4vWwMVzrGjXiQIMlh1VNwIUGN54jRICh+eLr
+nJAoenHYVaKLcDIxMyZw/h0R1UvBBEcZWUSPCwrs1mJAim9nLmpQOFQ1yfjV7Oiu
+k4g9oECBLOD+98hoJI5BBIivlIKXdeVpTCId+WdTo0yj279VCOc6B2eiKCVjr/gO
+x9PBd+8gICBjnlwigQ==
 -----END X509 CRL-----

examples/certs/crl/eccCliCRL.pem

@@ -2,25 +2,25 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: ecdsa-with-SHA256
         Issuer: C = US, ST = Oregon, L = Salem, O = Client ECC, OU = Fast, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Last Update: Dec 13 22:19:33 2023 GMT
-        Next Update: Sep  8 22:19:33 2026 GMT
+        Last Update: Jan  9 00:34:30 2024 GMT
+        Next Update: Oct  5 00:34:30 2026 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 9
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Dec 13 22:19:33 2023 GMT
+        Revocation Date: Jan  9 00:34:30 2024 GMT
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:21:00:dc:a7:bf:34:1b:68:b6:54:0c:38:8d:46:41:
-         84:bf:fa:f0:96:00:89:a6:81:4a:0f:15:12:ef:15:98:f7:51:
-         95:02:20:08:57:33:0d:c1:a5:c6:83:63:49:96:8c:71:41:7b:
-         40:92:67:80:d6:23:62:2a:c2:f2:43:5a:92:9b:9b:d6:83
+         30:45:02:20:3b:07:f1:6c:fb:19:62:f2:56:2a:5c:21:a3:7d:
+         bf:06:33:3e:b4:53:01:f3:f5:0e:e6:ca:f5:b9:26:7e:4d:ca:
+         02:21:00:dd:04:d6:b1:18:01:b7:d6:ca:d9:7b:29:53:cf:9e:
+         ad:38:ef:fa:70:2c:41:74:ba:ce:e6:77:1f:22:86:f0:e3
 -----BEGIN X509 CRL-----
 MIIBPDCB4wIBATAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCVVMxDzANBgNVBAgM
 Bk9yZWdvbjEOMAwGA1UEBwwFU2FsZW0xEzARBgNVBAoMCkNsaWVudCBFQ0MxDTAL
 BgNVBAsMBEZhc3QxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3
-DQEJARYQaW5mb0B3b2xmc3NsLmNvbRcNMjMxMjEzMjIxOTMzWhcNMjYwOTA4MjIx
-OTMzWjAUMBICAQIXDTIzMTIxMzIyMTkzM1qgDjAMMAoGA1UdFAQDAgEJMAoGCCqG
-SM49BAMCA0gAMEUCIQDcp780G2i2VAw4jUZBhL/68JYAiaaBSg8VEu8VmPdRlQIg
-CFczDcGlxoNjSZaMcUF7QJJngNYjYirC8kNakpub1oM=
+DQEJARYQaW5mb0B3b2xmc3NsLmNvbRcNMjQwMTA5MDAzNDMwWhcNMjYxMDA1MDAz
+NDMwWjAUMBICAQIXDTI0MDEwOTAwMzQzMFqgDjAMMAoGA1UdFAQDAgEJMAoGCCqG
+SM49BAMCA0gAMEUCIDsH8Wz7GWLyVipcIaN9vwYzPrRTAfP1DubK9bkmfk3KAiEA
+3QTWsRgBt9bK2XspU8+erTjv+nAsQXS6zuZ3HyKG8OM=
 -----END X509 CRL-----

examples/certs/crl/eccSrvCRL.pem

@@ -2,25 +2,25 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: ecdsa-with-SHA256
         Issuer: C = US, ST = Washington, L = Seattle, O = Elliptic, OU = ECC, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Last Update: Dec 13 22:19:33 2023 GMT
-        Next Update: Sep  8 22:19:33 2026 GMT
+        Last Update: Jan  9 00:34:30 2024 GMT
+        Next Update: Oct  5 00:34:30 2026 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 10
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Dec 13 22:19:33 2023 GMT
+        Revocation Date: Jan  9 00:34:30 2024 GMT
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:21:00:a9:26:ab:1a:4a:be:5c:92:da:9d:17:0a:b5:
-         f6:40:ea:84:93:ce:57:b8:af:68:75:e8:e9:de:a7:27:e7:79:
-         48:02:20:11:d4:03:97:19:2a:28:04:70:28:bb:5e:6a:b7:f6:
-         32:90:f1:92:ff:48:7c:cf:e7:94:0f:ce:63:de:f8:fc:6c
+         30:45:02:20:4e:83:3e:21:ee:69:a6:f2:7e:87:45:10:5c:60:
+         ad:24:49:1e:0f:9e:1f:81:03:00:43:a9:e6:1b:63:27:3f:6b:
+         02:21:00:b2:7f:bd:3d:af:c4:f5:ff:82:3f:b7:6a:56:25:7c:
+         07:85:54:d9:19:44:42:60:b4:8a:e3:55:f4:a4:96:c7:d1
 -----BEGIN X509 CRL-----
 MIIBPzCB5gIBATAKBggqhkjOPQQDAjCBkDELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxETAPBgNVBAoMCEVsbGlwdGlj
 MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
-SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbRcNMjMxMjEzMjIxOTMzWhcNMjYwOTA4
-MjIxOTMzWjAUMBICAQIXDTIzMTIxMzIyMTkzM1qgDjAMMAoGA1UdFAQDAgEKMAoG
-CCqGSM49BAMCA0gAMEUCIQCpJqsaSr5cktqdFwq19kDqhJPOV7ivaHXo6d6nJ+d5
-SAIgEdQDlxkqKARwKLtearf2MpDxkv9IfM/nlA/OY974/Gw=
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbRcNMjQwMTA5MDAzNDMwWhcNMjYxMDA1
+MDAzNDMwWjAUMBICAQIXDTI0MDEwOTAwMzQzMFqgDjAMMAoGA1UdFAQDAgEKMAoG
+CCqGSM49BAMCA0gAMEUCIE6DPiHuaabyfodFEFxgrSRJHg+eH4EDAEOp5htjJz9r
+AiEAsn+9Pa/E9f+CP7dqViV8B4VU2RlEQmC0iuNV9KSWx9E=
 -----END X509 CRL-----

examples/certs/keytool-print-wks.sh

@@ -0,0 +1,36 @@
+
+# Script to print out WKS keystores using keytool -list
+#
+# Primarily used as a sanity check that keytool can successfully process
+# WKS KeyStore files using the -list command
+#
+# Export library paths for Linux and Mac to find shared JNI library
+export LD_LIBRARY_PATH=../../lib:$LD_LIBRARY_PATH
+export DYLD_LIBRARY_PATH=../../lib:$DYLD_LIBRARY_PATH
+
+# ARGS: <keystore file> <password>
+print_wks() {
+    printf "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
+    printf "KEYSTORE: $1\n"
+    keytool -list -provider com.wolfssl.provider.jce.WolfCryptProvider --providerpath ../../lib/wolfcrypt-jni.jar -storetype WKS -storepass "$2" -keystore ${1}
+    if [ $? -ne 0 ]; then
+        printf "fail"
+        exit 1
+    fi
+}
+
+print_wks "client.wks" "wolfsslpassword"
+print_wks "client-rsa-1024.wks" "wolfsslpassword"
+print_wks "client-rsa.wks" "wolfsslpassword"
+print_wks "client-ecc.wks" "wolfsslpassword"
+print_wks "server.wks" "wolfsslpassword"
+print_wks "server-rsa-1024.wks" "wolfsslpassword"
+print_wks "server-rsa.wks" "wolfsslpassword"
+print_wks "server-ecc.wks" "wolfsslpassword"
+print_wks "cacerts.wks" "wolfsslpassword"
+print_wks "ca-client.wks" "wolfsslpassword"
+print_wks "ca-server.wks" "wolfsslpassword"
+print_wks "ca-server-rsa-2048.wks" "wolfsslpassword"
+print_wks "ca-server-ecc-256.wks" "wolfsslpassword"
+
+printf "\nSUCCESS printing all KeyStore files\n"

examples/certs/systemcerts/system-cacerts-to-wks.sh

@@ -0,0 +1,154 @@
+#!/bin/bash
+#
+# Script to convert system CA certs KeyStore file from JKS to WKS format
+#
+# This script tries to detect OS variant and Java version to find correct
+# CA certificate KeyStore for this system.
+#
+# The following search order is used for trying to find either cacerts,
+# jssecacerts, or both:
+#
+# cacerts
+#   1. $JAVA_HOME/lib/security/cacerts         (JDK 9+)
+#   2. $JAVA_HOME/jre/lib/security/cacerts     (JDK <= 8)
+#
+# jssecacerts:
+#
+#   1. $JAVA_HOME/lib/security/jssecacerts     (JDK 9+)
+#   2. $JAVA_HOME/jre/lib/security/jssecacerts (JDK <= 8)
+#
+# The default cacerts.jks password is 'changeit'. Since wolfCrypt FIPS
+# requires a minimum HMAC key size of 14 bytes, we expand the password
+# to 'changeitchangeit' here to get past the 14 byte limitation when using
+# WKS type.
+#
+
+# Export library paths for Linux and Mac to find shared JNI library
+export LD_LIBRARY_PATH=../../../lib:$LD_LIBRARY_PATH
+export DYLD_LIBRARY_PATH=../../../lib:$DYLD_LIBRARY_PATH
+
+OUTDIR=`pwd`
+
+# First argument can be passed in to represent path to
+# wolfcrypt-jni.jar provider JAR. If not given, use default.
+if [ -z "$1" ]; then
+    # default wolfcrypt-jni.jar path
+    PROVIDER_PATH="../../../lib/wolfcrypt-jni.jar"
+else
+    # use custom provider path
+    PROVIDER_PATH=$1
+fi
+
+# ARGS: <input-keystore-name> <output-keystore-name> <in-password> <out-password> <java home>
+jks_to_wks() {
+    ${5}/bin/keytool -importkeystore -srckeystore ${1} -destkeystore ${2}.wks -srcstoretype JKS -deststoretype WKS -srcstorepass "$3" -deststorepass "$3" -deststorepass "$4" -provider com.wolfssl.provider.jce.WolfCryptProvider --providerpath "$PROVIDER_PATH"
+    if [ $? -ne 0 ]; then
+        printf "Failed to convert JKS to WKS!"
+        exit 1
+    fi
+
+}
+
+OS=`uname`
+ARCH=`uname -a`
+
+CACERTS_JDK9="lib/security/cacerts"
+CACERTS_JDK8="jre/lib/security/cacerts"
+JSSECACERTS_JDK9="lib/security/jssecacerts"
+JSSECACERTS_JDK8="jre/lib/security/jssecacerts"
+
+echo "-----------------------------------------------------------------------"
+echo "System CA KeyStore to WKS Conversion Script"
+echo "-----------------------------------------------------------------------"
+
+if [ -z "$JAVA_HOME" ]; then
+    echo "JAVA_HOME empty, trying to detect"
+else
+    echo "JAVA_HOME already set = $JAVA_HOME"
+    javaHome="$JAVA_HOME"
+fi
+
+echo "PROVIDER_PATH: $PROVIDER_PATH"
+
+# Set up Java include and library paths for OS X and Linux
+# NOTE: you may need to modify these if your platform uses different locations
+if [ "$OS" == "Darwin" ]; then
+    echo "Detected Darwin/OSX host OS"
+    if [ -z $javaHome ]; then
+        # this is broken since Big Sur, set JAVA_HOME environment var instead
+        # OSX JAVA_HOME is typically similar to:
+        #    /Library/Java/JavaVirtualMachines/jdk1.8.0_261.jdk/Contents/Home
+        javaHome=`/usr/libexec/java_home`
+    fi
+elif [ "$OS" == "Linux" ] ; then
+    echo "Detected Linux host OS"
+    if [ -z $javaHome ]; then
+        javaHome=`echo $(dirname $(dirname $(readlink -f $(which java))))`
+    fi
+    if [ ! -d "$javaHome/include" ]
+    then
+        javaHome=`echo $(dirname $javaHome)`
+    fi
+else
+    echo 'Unknown host OS!'
+    exit
+fi
+echo "    $OS $ARCH"
+echo "Java Home = $javaHome"
+echo ""
+
+if [ ! -d $OUTDIR ]; then
+    mkdir $OUTDIR
+fi
+
+if [ -f "$javaHome/$CACERTS_JDK9" ]; then
+    echo "System cacerts found, converting from JKS to WKS:"
+    echo "    FROM: $javaHome/$CACERTS_JDK9"
+    echo "    TO:   $OUTDIR/cacerts.wks"
+    echo "    IN PASS (default): changeit"
+    echo "    OUT PASS: changeitchangeit"
+    if [ -f $OUTDIR/cacerts.wks ]; then
+        rm $OUTDIR/cacerts.wks
+    fi
+    jks_to_wks "$javaHome/$CACERTS_JDK9" "$OUTDIR/cacerts" "changeit" "changeitchangeit" $javaHome
+fi
+
+if [ -f "$javaHome/$CACERTS_JDK8" ]; then
+    echo "System cacerts found, converting from JKS to WKS:"
+    echo "    FROM: $javaHome/$CACERTS_JDK8"
+    echo "    TO:   $OUTDIR/cacerts.wks"
+    echo "    IN PASS (default): changeit"
+    echo "    OUT PASS: changeitchangeit"
+    if [ -f $OUTDIR/cacerts.wks ]; then
+        rm $OUTDIR/cacerts.wks
+    fi
+    jks_to_wks "$javaHome/$CACERTS_JDK8" "$OUTDIR/cacerts" "changeit" "changeitchangeit" $javaHome
+fi
+
+if [ -f "$javaHome/$JSSECERTS_JDK9" ]; then
+    echo "System jssecacerts found, converting from JKS to WKS:"
+    echo "    FROM: $javaHome/$JSSECACERTS_JDK9"
+    echo "    TO:   $OUTDIR/jssecacerts.wks"
+    echo "    IN PASS (default): changeit"
+    echo "    OUT PASS: changeitchangeit"
+    if [ -f $OUTDIR/jssecacerts.wks ]; then
+        rm $OUTDIR/jssecacerts.wks
+    fi
+    jks_to_wks "$javaHome/$JSSECACERTS_JDK9" "$OUTDIR/jssecacerts" "changeit" "changeitchangeit" $javaHome
+fi
+
+if [ -f "$javaHome/$JSSECERTS_JDK8" ]; then
+    echo "System jssecacerts found, converting from JKS to WKS:"
+    echo "    FROM: $javaHome/$JSSECACERTS_JDK8"
+    echo "    TO:   $OUTDIR/jssecacerts.wks"
+    echo "    IN PASS (default): changeit"
+    echo "    OUT PASS: changeitchangeit"
+    if [ -f $OUTDIR/jssecacerts.wks ]; then
+        rm $OUTDIR/jssecacerts.wks
+    fi
+    jks_to_wks "$javaHome/$JSSECACERTS_JDK8" "$OUTDIR/jssecacerts" "changeit" "changeitchangeit" $javaHome
+fi
+
+echo ""
+echo "Successfully converted JKS to WKS"
+

examples/certs/update-certs.sh

@@ -44,11 +44,14 @@ certList=(
     "ecc-client-key.der"
     "ecc-client-key.pem"
     "ecc-key.pem"
+    "ecc-keyPkcs8.der"
     "server-cert.pem"
     "server-cert.der"
     "server-ecc.pem"
     "server-ecc.der"
     "server-key.pem"
+    "server-key.der"
+    "server-keyPkcs8.der"
     "crl/cliCrl.pem"
     "crl/crl.pem"
     "crl/crl.der"

examples/certs/update-jks-wks.sh

@@ -0,0 +1,256 @@
+
+# Example KeyStore Update Script
+#
+# This script is Used to update all example JKS and WKS stores, using example
+# certificates found in wolfSSL proper.
+#
+# Java KeyStores which this script creates includes the following. WKS
+# versions will also be generated of each of these:
+#
+# client.jks              RSA 2048-bit and ECC client certs:
+#                         client-cert.pem, client-ecc-cert.pem
+# client-rsa-1024.jks     RSA 1024-bit only client cert:
+#                         1024/client-cert.pem, 1024/client-key.pem
+# client-rsa.jks          RSA 2048-bit only client cert:
+#                         client-cert.pem, client-key.pem
+# client-ecc.jks          ECC only client cert:
+#                         client-ecc-cert.pem, ecc-client-key.pem
+# server.jks              RSA 2048-bit and ECC server certs:
+#                         server-cert.pem, server-ecc.pem
+# server-rsa-1024.jks     RSA 1024-bit only server cert:
+#                         1024/server-cert.pem, 1024/server-key.pem
+# server-rsa.jks          RSA 2048-bit only server cert:
+#                         server-cert.pem, server-key.pem
+# server-ecc.jks          ECC only server cert:
+#                         server-ecc.pem, ecc-key.pem
+# cacerts.jks             All CA certs (RSA, ECC, 1024, 2048, etc)
+# ca-client.jks           CA certs used to verify client certs:
+#                         client-cert.pem, client-ecc-cert.pem
+# ca-server.jks           CA certs used to verify server certs:
+#                         ca-cert.pem, ca-ecc-cert.pem
+# ca-server-rsa-2048.jks  CA cert used to verify 2048-bit RSA server cert:
+#                         ca-cert.pem
+# ca-server-ecc-256.jks   CA cert used to veirfy ECC P-256 server cert:
+#                         ca-ecc-cert.pem
+#
+# NOTE: Keystores generated by this script are generated in JKS format,
+#       instead of the newer/better PKCS#12 format. The newer format would
+#       be preferred, but older versions of keytool do not support PKCS#12
+#       format. This would cause test failures in those older environments.
+
+printf "Removing and updating example JKS and WKS KeyStore files\n"
+if [ -z "$1" ]; then
+    printf "\tNo directory to certs provided\n"
+    printf "\tExample use ./update-jks-wks.sh ~/wolfssl/certs\n"
+    exit 1;
+fi
+CERT_LOCATION=$1
+
+# Export library paths for Linux and Mac to find shared JNI library
+export LD_LIBRARY_PATH=../../lib:$LD_LIBRARY_PATH
+export DYLD_LIBRARY_PATH=../../lib:$DYLD_LIBRARY_PATH
+
+# ARGS: <keystore-name> <keystore-type> <cert file> <alias> <password>
+add_cert() {
+    keytool -import -keystore "$1" -file "$CERT_LOCATION/$3" -alias "$4" -noprompt -trustcacerts -deststoretype "$2" -storepass "$5" &> /dev/null
+    if [ $? -ne 0 ]; then
+        printf "fail"
+        exit 1
+    fi
+}
+
+# ARGS: <keystore-name> <keystore-type> <cert file> <key file> <alias> <password>
+add_cert_key() {
+    openssl pkcs12 -export -in "$CERT_LOCATION/$3" -inkey "$CERT_LOCATION/$4" -out tmp.p12 -passin pass:"$6" -passout pass:"$6" -name "$5" &> /dev/null
+    keytool -importkeystore -deststorepass "$6" -destkeystore "$1" -deststoretype "$2" -srckeystore tmp.p12 -srcstoretype PKCS12 -srcstorepass "$6" -alias "$5" &> /dev/null
+    if [ $? -ne 0 ]; then
+        printf "fail"
+        exit 1
+    fi
+    rm tmp.p12
+}
+
+# ARGS: <keystore-name> <password>
+jks_to_wks() {
+    keytool -importkeystore -srckeystore ${1}.jks -destkeystore ${1}.wks -srcstoretype JKS -deststoretype WKS -srcstorepass "$2" -deststorepass "$2" -provider com.wolfssl.provider.jce.WolfCryptProvider --providerpath ../../lib/wolfcrypt-jni.jar &> /dev/null
+    if [ $? -ne 0 ]; then
+        printf "fail"
+        exit 1
+    fi
+
+}
+
+#################### CLIENT KEYSTORES ####################
+
+# Client cert: both RSA 2048-bit and ECC
+printf "\tCreating client.jks ..."
+rm client.jks &> /dev/null
+add_cert_key "client.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client" "wolfsslpassword"
+add_cert_key "client.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating client.p12 ..."
+rm client.p12 &> /dev/null
+add_cert_key "client.p12" "PKCS12" "/client-cert.pem" "/client-key.pem" "client" "wolfsslpassword"
+add_cert_key "client.p12" "PKCS12" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+printf "done\n"
+
+# Client cert: RSA, 1024-bit only
+printf "\tCreating client-rsa-1024.jks ..."
+rm client-rsa-1024.jks &> /dev/null
+add_cert_key "client-rsa-1024.jks" "JKS" "/1024/client-cert.pem" "/1024/client-key.pem" "client-rsa-1024" "wolfsslpassword"
+printf "done\n"
+
+# Client cert: RSA 2048-bit only
+printf "\tCreating client-rsa.jks ..."
+rm client-rsa.jks &> /dev/null
+add_cert_key "client-rsa.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
+printf "done\n"
+
+# Client cert: ECC only
+printf "\tCreating client-ecc.jks ..."
+rm client-ecc.jks &> /dev/null
+add_cert_key "client-ecc.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+printf "done\n"
+
+#################### SERVER KEYSTORES ####################
+
+# Server cert: both RSA 2048-bit and ECC
+printf "\tCreating server.jks ..."
+rm server.jks &> /dev/null
+add_cert_key "server.jks" "JKS" "/server-cert.pem" "/server-key.pem" "server" "wolfsslpassword"
+add_cert_key "server.jks" "JKS" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword"
+printf "done\n"
+
+# Server cert: RSA, 1024-bit only
+printf "\tCreating server-rsa-1024.jks ..."
+rm server-rsa-1024.jks &> /dev/null
+add_cert_key "server-rsa-1024.jks" "JKS" "/1024/server-cert.pem" "/1024/server-key.pem" "server-1024" "wolfsslpassword"
+printf "done\n"
+
+# Server cert: RSA, 2048-bit only
+printf "\tCreating server-rsa.jks ..."
+rm server-rsa.jks &> /dev/null
+add_cert_key "server-rsa.jks" "JKS" "/server-cert.pem" "/server-key.pem" "server-rsa" "wolfsslpassword"
+printf "done\n"
+
+# Server cert: ECC only
+printf "\tCreating server-ecc.jks ..."
+rm server-ecc.jks &> /dev/null
+add_cert_key "server-ecc.jks" "JKS" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword"
+printf "done\n"
+
+#################### CA CERT KEYSTORES ###################
+
+# Contains all CA certs (RSA and ECC), verifies both client and server certs
+printf "\tCreating cacerts.jks ..."
+rm cacerts.jks &> /dev/null
+add_cert_key "cacerts.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "cacert" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/1024/ca-cert.pem" "/1024/ca-key.pem" "ca-1024" "wolfsslpassword"
+printf "done\n"
+
+# Contains CA certs used to verify client certs:
+# client-cert.pem verifies itself (self signed)
+# client-ecc-cert.pem verifies itself (self signed)
+printf "\tCreating ca-client.jks ..."
+rm ca-client.jks &> /dev/null
+add_cert_key "ca-client.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
+add_cert_key "ca-client.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+printf "done\n"
+
+# Contains CA certs used to verify server certs:
+# ca-cert.pem verifies server-cert.pem
+# ca-ecc-cert.pem verifies server-ecc.pem
+printf "\tCreating ca-server.jks ..."
+rm ca-server.jks &> /dev/null
+add_cert_key "ca-server.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword"
+add_cert_key "ca-server.jks" "JKS" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword"
+printf "done\n"
+
+# Contains CA cert used to verify RSA 2048-bit server cert:
+# ca-cert.pem verifies server-cert.pem
+printf "\tCreating ca-server-rsa-2048.jks ..."
+rm ca-server-rsa-2048.jks &> /dev/null
+add_cert "ca-server-rsa-2048.jks" "JKS" "/ca-cert.pem" "ca-rsa" "wolfsslpassword"
+printf "done\n"
+
+# Contains CA cert used to verify ECC P-256 server cert:
+# ca-ecc-cert.pem verifies server-ecc.pem
+printf "\tCreating ca-server-ecc-256.jks ..."
+rm ca-server-ecc-256.jks &> /dev/null
+add_cert "ca-server-ecc-256.jks" "JKS" "/ca-ecc-cert.pem" "ca-ecc" "wolfsslpassword"
+printf "done\n"
+
+################### CONVERT JKS TO WKS ###################
+
+printf "\nConverting keystores from JKS to WKS ...\n"
+
+printf "\tCreating client.wks ..."
+rm client.wks &> /dev/null
+jks_to_wks "client" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating client-rsa-1024.wks ..."
+rm client-rsa-1024.wks &> /dev/null
+jks_to_wks "client-rsa-1024" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating client-rsa.wks ..."
+rm client-rsa.wks &> /dev/null
+jks_to_wks "client-rsa" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating client-ecc.wks ..."
+rm client-ecc.wks &> /dev/null
+jks_to_wks "client-ecc" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating server.wks ..."
+rm server.wks &> /dev/null
+jks_to_wks "server" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating server-rsa-1024.wks ..."
+rm server-rsa-1024.wks &> /dev/null
+jks_to_wks "server-rsa-1024" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating server-rsa.wks ..."
+rm server-rsa.wks &> /dev/null
+jks_to_wks "server-rsa" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating server-ecc.wks ..."
+rm server-ecc.wks &> /dev/null
+jks_to_wks "server-ecc" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating cacerts.wks ..."
+rm cacerts.wks &> /dev/null
+jks_to_wks "cacerts" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating ca-client.wks ..."
+rm ca-client.wks &> /dev/null
+jks_to_wks "ca-client" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating ca-server.wks ..."
+rm ca-server.wks &> /dev/null
+jks_to_wks "ca-server" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating ca-server-rsa-2048.wks ..."
+rm ca-server-rsa-2048.wks &> /dev/null
+jks_to_wks "ca-server-rsa-2048" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating ca-server-ecc-256.wks ..."
+rm ca-server-ecc-256.wks &> /dev/null
+jks_to_wks "ca-server-ecc-256" "wolfsslpassword"
+printf "done\n"
+

examples/certs/update-jks.sh

@@ -1,168 +0,0 @@
-
-# Example KeyStore Update Script
-#
-# This script is Used to update all example JKS stores, using example
-# certificates found in wolfSSL proper.
-#
-# Java KeyStores which this script creates includes:
-#
-# client.jks              RSA 2048-bit and ECC client certs:
-#                         client-cert.pem, client-ecc-cert.pem
-# client-rsa-1024.jks     RSA 1024-bit only client cert:
-#                         1024/client-cert.pem, 1024/client-key.pem
-# client-rsa.jks          RSA 2048-bit only client cert:
-#                         client-cert.pem, client-key.pem
-# client-ecc.jks          ECC only client cert:
-#                         client-ecc-cert.pem, ecc-client-key.pem
-# server.jks              RSA 2048-bit and ECC server certs:
-#                         server-cert.pem, server-ecc.pem
-# server-rsa-1024.jks     RSA 1024-bit only server cert:
-#                         1024/server-cert.pem, 1024/server-key.pem
-# server-rsa.jks          RSA 2048-bit only server cert:
-#                         server-cert.pem, server-key.pem
-# server-ecc.jks          ECC only server cert:
-#                         server-ecc.pem, ecc-key.pem
-# cacerts.jks             All CA certs (RSA, ECC, 1024, 2048, etc)
-# ca-client.jks           CA certs used to verify client certs:
-#                         client-cert.pem, client-ecc-cert.pem
-# ca-server.jks           CA certs used to verify server certs:
-#                         ca-cert.pem, ca-ecc-cert.pem
-# ca-server-rsa-2048.jks  CA cert used to verify 2048-bit RSA server cert:
-#                         ca-cert.pem
-# ca-server-ecc-256.jks   CA cert used to veirfy ECC P-256 server cert:
-#                         ca-ecc-cert.pem
-#
-# NOTE: Keystores generated by this script are generated in JKS format,
-#       instead of the newer/better PKCS#12 format. The newer format would
-#       be preferred, but older versions of keytool do not support PKCS#12
-#       format. This would cause test failures in those older environments.
-
-printf "Removing and updating JKS stores\n"
-if [ -z "$1" ]; then
-    printf "\tNo directory to certs provided\n"
-    printf "\tExample use ./update-jks.sh ~/wolfssl/certs\n"
-    exit 1;
-fi
-CERT_LOCATION=$1
-
-# keystore-name , cert file , alias , password
-add_cert() {
-    keytool -import -keystore "$1" -file "$CERT_LOCATION/$2" -alias "$3" -noprompt -trustcacerts -deststoretype JKS -storepass "$4" &> /dev/null
-    if [ $? -ne 0 ]; then
-        printf "fail"
-        exit 1
-    fi
-}
-
-# keystore-name , cert file , key file , alias , password
-add_cert_key() {
-    openssl pkcs12 -export -in "$CERT_LOCATION/$2" -inkey "$CERT_LOCATION/$3" -out tmp.p12 -passin pass:"$5" -passout pass:"$5" -name "$4" &> /dev/null
-    keytool -importkeystore -deststorepass "$5" -destkeystore "$1" -deststoretype JKS -srckeystore tmp.p12 -srcstoretype PKCS12 -srcstorepass "$5" -alias "$4" &> /dev/null
-    if [ $? -ne 0 ]; then
-        printf "fail"
-        exit 1
-    fi
-    rm tmp.p12
-}
-
-#################### CLIENT KEYSTORES ####################
-
-# Client cert: both RSA 2048-bit and ECC
-printf "\tCreating client.jks ..."
-rm client.jks &> /dev/null
-add_cert_key "client.jks" "/client-cert.pem" "/client-key.pem" "client" "wolfSSL test"
-add_cert_key "client.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfSSL test"
-printf "done\n"
-
-# Client cert: RSA, 1024-bit only
-printf "\tCreating client-rsa-1024.jks ..."
-rm client-rsa-1024.jks &> /dev/null
-add_cert_key "client-rsa-1024.jks" "/1024/client-cert.pem" "/1024/client-key.pem" "client-rsa-1024" "wolfSSL test"
-printf "done\n"
-
-# Client cert: RSA 2048-bit only
-printf "\tCreating client-rsa.jks ..."
-rm client-rsa.jks &> /dev/null
-add_cert_key "client-rsa.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfSSL test"
-printf "done\n"
-
-# Client cert: ECC only
-printf "\tCreating client-ecc.jks ..."
-rm client-ecc.jks &> /dev/null
-add_cert_key "client-ecc.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfSSL test"
-printf "done\n"
-
-#################### SERVER KEYSTORES ####################
-
-# Server cert: both RSA 2048-bit and ECC
-printf "\tCreating server.jks ..."
-rm server.jks &> /dev/null
-add_cert_key "server.jks" "/server-cert.pem" "/server-key.pem" "server" "wolfSSL test"
-add_cert_key "server.jks" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfSSL test"
-printf "done\n"
-
-# Server cert: RSA, 1024-bit only
-printf "\tCreating server-rsa-1024.jks ..."
-rm server-rsa-1024.jks &> /dev/null
-add_cert_key "server-rsa-1024.jks" "/1024/server-cert.pem" "/1024/server-key.pem" "server-1024" "wolfSSL test"
-printf "done\n"
-
-# Server cert: RSA, 2048-bit only
-printf "\tCreating server-rsa.jks ..."
-rm server-rsa.jks &> /dev/null
-add_cert_key "server-rsa.jks" "/server-cert.pem" "/server-key.pem" "server-rsa" "wolfSSL test"
-printf "done\n"
-
-# Server cert: ECC only
-printf "\tCreating server-ecc.jks ..."
-rm server-ecc.jks &> /dev/null
-add_cert_key "server-ecc.jks" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfSSL test"
-printf "done\n"
-
-#################### CA CERT KEYSTORES ###################
-
-# Contains all CA certs (RSA and ECC), verifies both client and server certs
-printf "\tCreating cacerts.jks ..."
-rm cacerts.jks &> /dev/null
-add_cert_key "cacerts.jks" "/ca-cert.pem" "/ca-key.pem" "cacert" "wolfSSL test"
-add_cert_key "cacerts.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfSSL test"
-add_cert_key "cacerts.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfSSL test"
-add_cert_key "cacerts.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfSSL test"
-add_cert_key "cacerts.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfSSL test"
-add_cert_key "cacerts.jks" "/1024/ca-cert.pem" "/1024/ca-key.pem" "ca-1024" "wolfSSL test"
-printf "done\n"
-
-# Contains CA certs used to verify client certs:
-# client-cert.pem verifies itself (self signed)
-# client-ecc-cert.pem verifies itself (self signed)
-printf "\tCreating ca-client.jks ..."
-rm ca-client.jks &> /dev/null
-add_cert_key "ca-client.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfSSL test"
-add_cert_key "ca-client.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfSSL test"
-printf "done\n"
-
-# Contains CA certs used to verify server certs:
-# ca-cert.pem verifies server-cert.pem
-# ca-ecc-cert.pem verifies server-ecc.pem
-printf "\tCreating ca-server.jks ..."
-rm ca-server.jks &> /dev/null
-add_cert_key "ca-server.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfSSL test"
-add_cert_key "ca-server.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfSSL test"
-printf "done\n"
-
-# Contains CA cert used to verify RSA 2048-bit server cert:
-# ca-cert.pem verifies server-cert.pem
-printf "\tCreating ca-server-rsa-2048.jks ..."
-rm ca-server-rsa-2048.jks &> /dev/null
-#add_cert_key "ca-server-rsa-2048.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfSSL test"
-add_cert "ca-server-rsa-2048.jks" "/ca-cert.pem" "ca-rsa" "wolfSSL test"
-printf "done\n"
-
-# Contains CA cert used to verify ECC P-256 server cert:
-# ca-ecc-cert.pem verifies server-ecc.pem
-printf "\tCreating ca-server-ecc-256.jks ..."
-rm ca-server-ecc-256.jks &> /dev/null
-#add_cert_key "ca-server-ecc-256.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfSSL test"
-add_cert "ca-server-ecc-256.jks" "/ca-ecc-cert.pem" "ca-ecc" "wolfSSL test"
-printf "done\n"
-

examples/provider/CryptoBenchmark.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+
+# Flag to track if we downloaded BC during this session
+BC_DOWNLOADED=false
+
+# Function to get the latest Bouncy Castle version from Maven Central
+get_latest_version() {
+  local metadata_url="https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/maven-metadata.xml"
+  if command -v curl >/dev/null; then
+    curl -s "$metadata_url" | grep '<latest>' | sed -e 's/.*<latest>\(.*\)<\/latest>.*/\1/'
+  elif command -v wget >/dev/null; then
+    wget -q -O - "$metadata_url" | grep '<latest>' | sed -e 's/.*<latest>\(.*\)<\/latest>.*/\1/'
+  else
+    echo "Error: Neither curl nor wget is installed. Please install one to fetch the latest version."
+    exit 1
+  fi
+}
+
+# Function to download Bouncy Castle JARs with the latest version
+download_bc_jars() {
+  local bc_version=$(get_latest_version)
+  local lib_dir="../../../lib"
+  local bc_url="https://repo1.maven.org/maven2/org/bouncycastle"
+
+  if [ -z "$bc_version" ]; then
+    echo "failed (could not determine latest version)"
+    return 1
+  fi
+
+  echo -n "Downloading Bouncy Castle JARs (version $bc_version)... "
+  mkdir -p "$lib_dir" || {
+    echo "failed (cannot create $lib_dir)"
+    return 1
+  }
+
+  if command -v wget >/dev/null; then
+    wget -P "$lib_dir" "$bc_url/bcprov-jdk18on/$bc_version/bcprov-jdk18on-$bc_version.jar" &&
+      wget -P "$lib_dir" "$bc_url/bctls-jdk18on/$bc_version/bctls-jdk18on-$bc_version.jar" || {
+      echo "failed (wget error: check URL or network)"
+      return 1
+    }
+  elif command -v curl >/dev/null; then
+    curl -L -o "$lib_dir/bcprov-jdk18on-$bc_version.jar" "$bc_url/bcprov-jdk18on/$bc_version/bcprov-jdk18on-$bc_version.jar" &&
+      curl -L -o "$lib_dir/bctls-jdk18on-$bc_version.jar" "$bc_url/bctls-jdk18on/$bc_version/bctls-jdk18on-$bc_version.jar" || {
+      echo "failed (curl error: check URL or network)"
+      return 1
+    }
+  else
+    echo "failed (neither wget nor curl installed)"
+    echo "Please install wget or curl."
+    return 1
+  fi
+
+  if [ -f "$lib_dir/bcprov-jdk18on-$bc_version.jar" ] && [ -f "$lib_dir/bctls-jdk18on-$bc_version.jar" ]; then
+    echo "done"
+    BC_DOWNLOADED=true
+    return 0
+  else
+    echo "failed (downloaded files not found)"
+    return 1
+  fi
+}
+
+# Function to cleanup BC JARs
+cleanup_bc_jars() {
+  local lib_dir="../../../lib"
+  echo -n "Removing Bouncy Castle JARs... "
+  rm -f "$lib_dir/bcprov-jdk18on-"*".jar" "$lib_dir/bctls-jdk18on-"*".jar" && echo "done" || echo "failed"
+}
+
+cd ./examples/build/provider || {
+  echo "Error: Cannot change to ./examples/build/provider"
+  exit 1
+}
+
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:../../../lib:/usr/local/lib
+CLASSPATH="../../../lib/wolfcrypt-jni.jar:."
+
+# Check for existing Bouncy Castle JARs (any version)
+if ls "../../../lib/bcprov-jdk18on-"*".jar" "../../../lib/bctls-jdk18on-"*".jar" 2>/dev/null; then
+  latest_bc_jar=$(ls -t "../../../lib/bcprov-jdk18on-"*".jar" | head -n 1)
+  bc_version=$(basename "$latest_bc_jar" | sed -e 's/bcprov-jdk18on-//' -e 's/.jar$//')
+  echo "Running crypto benchmark with Bouncy Castle (version $bc_version)"
+  CLASSPATH="$CLASSPATH:$latest_bc_jar:../../../lib/bctls-jdk18on-$bc_version.jar"
+else
+  echo "Bouncy Castle JARs not found in lib directory"
+  read -p "Would you like to download Bouncy Castle JARs? (y/n) " -n 1 -r
+  echo
+  if [[ $REPLY =~ ^[Yy]$ ]]; then
+    if download_bc_jars; then
+      bc_version=$(get_latest_version)
+      echo "Running crypto benchmark with Bouncy Castle (version $bc_version)"
+      CLASSPATH="$CLASSPATH:../../../lib/bcprov-jdk18on-$bc_version.jar:../../../lib/bctls-jdk18on-$bc_version.jar"
+    else
+      echo "Running crypto benchmark without Bouncy Castle due to download failure"
+    fi
+  else
+    echo "Running crypto benchmark without Bouncy Castle"
+  fi
+fi
+
+java -XX:-TieredCompilation -XX:ReservedCodeCacheSize=1024m -classpath "$CLASSPATH" -Dsun.boot.library.path=../../../lib/ CryptoBenchmark "$@"
+
+if ls "../../../lib/bcprov-jdk18on-"*".jar" "../../../lib/bctls-jdk18on-"*".jar" 2>/dev/null; then
+  echo
+  read -p "Would you like to remove the Bouncy Castle JARs? (y/n) " -n 1 -r
+  echo
+  if [[ $REPLY =~ ^[Yy]$ ]]; then
+    cleanup_bc_jars
+  else
+    echo "Keeping Bouncy Castle JARs for future use"
+  fi
+fi

examples/provider/ProviderTest.java

@@ -1,6 +1,6 @@
 /* ProviderTest.java
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

examples/provider/WolfSSLKeyStoreExample.java

@@ -0,0 +1,276 @@
+/* WolfSSLKeyStoreExample.java
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.FileNotFoundException;
+import java.nio.file.Files;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.SecureRandom;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.KeyFactory;
+import java.security.KeyStoreException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.InvalidKeySpecException;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+
+import com.wolfssl.provider.jce.WolfCryptProvider;
+
+public class WolfSSLKeyStoreExample {
+
+    /* KeyStore password */
+    static String storePass = "wolfsslpassword";
+
+    /* KeyStore output file */
+    static String wksFile = "wolfssl.wks";
+
+    /* KeyStore type */
+    static String storeType = "WKS";
+
+    /* RSA server cert and private key */
+    static String serverCertRsaDer = "../../certs/server-cert.der";
+    static String serverRsaPkcs8Der = "../../certs/server-keyPkcs8.der";
+
+    /* ECC server cert and private key */
+    static String serverCertEccDer = "../../certs/server-ecc.der";
+    static String serverEccPkcs8Der = "../../certs/ecc-keyPkcs8.der";
+
+    /* RSA server cert chain */
+    static String intRsaServerCertDer =
+        "../../certs/intermediate/server-int-cert.pem";
+    static String intRsaInt1CertDer =
+        "../../certs/intermediate/ca-int-cert.pem";
+    static String intRsaInt2CertDer =
+        "../../certs/intermediate/ca-int2-cert.pem";
+
+    /* ECC server cert chain */
+    static String intEccServerCertDer =
+        "../../certs/intermediate/server-int-ecc-cert.der";
+    static String intEccInt1CertDer =
+        "../../certs/intermediate/ca-int-ecc-cert.der";
+    static String intEccInt2CertDer =
+        "../../certs/intermediate/ca-int2-ecc-cert.der";
+
+    /**
+     * Create and return PrivateKey object from file path to DER-encoded
+     * private key file.
+     *
+     * @param derFilePath file path to DER-encoded PKCS#8 private key file
+     * @param alg algorithm for KeyFactory instance (ex: "RSA", "EC")
+     *
+     * @return PrivateKey object created from file path given
+     *
+     * @throws IllegalArgumentException on bad argument or processing of arg
+     * @throws IOException on error converting File to Path
+     * @throws NoSuchAlgorithmException on bad "alg" when getting KeyFactory
+     * @throws InvalidKeySpecException on error generating PrivateKey object
+     * @throws Exception on other error
+     */
+    private static PrivateKey DerFileToPrivateKey(String derFilePath,
+        String alg) throws IllegalArgumentException, IOException,
+                           NoSuchAlgorithmException, InvalidKeySpecException,
+                           InvalidKeySpecException {
+
+        byte[] fileBytes = null;
+        PKCS8EncodedKeySpec spec = null;
+        KeyFactory kf = null;
+        PrivateKey key = null;
+
+        if (derFilePath == null || derFilePath.isEmpty()) {
+            throw new IllegalArgumentException(
+                "Input DER file path is null or empty");
+        }
+
+        fileBytes = Files.readAllBytes(new File(derFilePath).toPath());
+        if (fileBytes == null || fileBytes.length == 0) {
+            throw new IllegalArgumentException(
+                "Bytes read from DER file is null or empty, bad file path?");
+        }
+
+        spec = new PKCS8EncodedKeySpec(fileBytes);
+        if (spec == null) {
+            throw new InvalidKeySpecException(
+                "Unable to create PKCS8EncodedKeySpec");
+        }
+
+        kf = KeyFactory.getInstance(alg);
+        key = kf.generatePrivate(spec);
+
+        return key;
+    }
+
+    /**
+     * Read in and convert certificate file to Certificate object.
+     *
+     * @param certPath path to DER-encoded certificate file
+     *
+     * @return new Certificate object representing certPath file
+     *
+     * @throws FileNotFoundException on error reading certPath file
+     * @throws CertificateException on error geting CertificateFactory or
+     *         generating Certificate object
+     */
+    private static Certificate CertFileToCertificate(String certPath)
+        throws FileNotFoundException, CertificateException {
+
+        CertificateFactory cf = null;
+        Certificate cert = null;
+
+        cf = CertificateFactory.getInstance("X.509");
+        cert = cf.generateCertificate(new FileInputStream(certPath));
+
+        return cert;
+    }
+
+    public static void InsertKeyStoreEntries(KeyStore store)
+        throws FileNotFoundException, KeyStoreException, IOException,
+               CertificateException, NoSuchAlgorithmException,
+               InvalidKeySpecException {
+
+        byte[] fileBytes = null;
+        PrivateKey privKey = null;
+        Certificate cert = null;
+        Certificate[] chain = null;
+        KeyGenerator kg = null;
+        SecretKey aesKey = null;
+
+        /* INSERT [1]: RSA cert only */
+        cert = CertFileToCertificate(serverCertRsaDer);
+        store.setCertificateEntry("serverRsa", cert);
+
+        /* INSERT [2]: RSA priv key + single cert */
+        privKey = DerFileToPrivateKey(serverRsaPkcs8Der, "RSA");
+        store.setKeyEntry("rsaCert", privKey,
+            storePass.toCharArray(), new Certificate[] { cert });
+
+        /* INSERT [5]: RSA priv key + cert chain */
+        chain = new Certificate[3];
+        cert = CertFileToCertificate(intRsaServerCertDer);
+        chain[0] = cert;
+        cert = CertFileToCertificate(intRsaInt2CertDer);
+        chain[1] = cert;
+        cert = CertFileToCertificate(intRsaInt1CertDer);
+        chain[2] = cert;
+        store.setKeyEntry("rsaChain", privKey, storePass.toCharArray(), chain);
+
+        /* INSERT [3]: ECC cert only */
+        cert = CertFileToCertificate(serverCertEccDer);
+        store.setCertificateEntry("serverEcc", cert);
+
+        /* INSERT [4]: ECC priv key + single cert */
+        privKey = DerFileToPrivateKey(serverEccPkcs8Der, "EC");
+        store.setKeyEntry("eccCert", privKey,
+            storePass.toCharArray(), new Certificate[] { cert });
+
+        /* INSERT [6]: ECC priv key + cert chain */
+        chain = new Certificate[3];
+        cert = CertFileToCertificate(intEccServerCertDer);
+        chain[0] = cert;
+        cert = CertFileToCertificate(intEccInt2CertDer);
+        chain[1] = cert;
+        cert = CertFileToCertificate(intEccInt1CertDer);
+        chain[2] = cert;
+        store.setKeyEntry("eccChain", privKey, storePass.toCharArray(), chain);
+
+        /* INSERT [7]: AES SecretKey */
+        /* If running this example with JKS type, JKS cannot import
+         * non-private keys. Only do for WKS type. */
+        if (storeType.equals("WKS")) {
+            kg = KeyGenerator.getInstance("AES");
+            kg.init(256, new SecureRandom());
+            aesKey = kg.generateKey();
+            store.setKeyEntry("aesKey", aesKey, storePass.toCharArray(), null);
+        }
+    }
+
+    public static void WriteKeyStoreToFile(KeyStore store)
+        throws FileNotFoundException, KeyStoreException, IOException,
+               NoSuchAlgorithmException, CertificateException {
+
+        FileOutputStream fos = new FileOutputStream(wksFile);
+        store.store(fos, storePass.toCharArray());
+        fos.close();
+    }
+
+    public static KeyStore ReadKeyStoreFromFile(String fileName)
+        throws KeyStoreException, FileNotFoundException, IOException,
+               NoSuchAlgorithmException, CertificateException {
+
+        KeyStore store = null;
+
+        store = KeyStore.getInstance(storeType);
+        store.load(new FileInputStream(fileName), storePass.toCharArray());
+
+        return store;
+    }
+
+    public static void main(String args [])
+    {
+        KeyStore store = null;
+        Provider p = null;
+
+        System.out.println("WolfSSLKeyStore (WKS) Example App\n");
+
+        /* Install wolfJCE */
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
+
+        try {
+            store = KeyStore.getInstance(storeType);
+            store.load(null, storePass.toCharArray());
+
+            p = store.getProvider();
+            System.out.println("KeyStore('" + storeType + "') provider = " + p);
+
+            /* Insert variety of entry types */
+            System.out.println("\n-------------------------------------------");
+            System.out.println("Inserting entries into KeyStore");
+            System.out.println("-------------------------------------------");
+            InsertKeyStoreEntries(store);
+
+            /* Store KeyStore to file (wolfssl.wks) */
+            System.out.println("\n-------------------------------------------");
+            System.out.println("Writing KeyStore to file: " + wksFile);
+            System.out.println("-------------------------------------------");
+            WriteKeyStoreToFile(store);
+
+            /* Read KeyStore back in from file */
+            System.out.println("\n-------------------------------------------");
+            System.out.println("Reading KeyStore in from file: " + wksFile);
+            System.out.println("-------------------------------------------");
+            store = ReadKeyStoreFromFile(wksFile);
+
+            System.out.println("\nExample Finished Successfully");
+
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
+

examples/provider/WolfSSLKeyStoreExample.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+cd ./examples/build/provider
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:../../../lib/:/usr/local/lib
+java -classpath ../../../lib/wolfcrypt-jni.jar:./ -Dsun.boot.library.path=../../../lib/ -Dwolfjce.debug=true WolfSSLKeyStoreExample $@
+

jni/include/com_wolfssl_provider_jce_WolfSSLKeyStore.h

@@ -0,0 +1,45 @@
+/* DO NOT EDIT THIS FILE - it is machine generated */
+#include <jni.h>
+/* Header for class com_wolfssl_provider_jce_WolfSSLKeyStore */
+
+#ifndef _Included_com_wolfssl_provider_jce_WolfSSLKeyStore
+#define _Included_com_wolfssl_provider_jce_WolfSSLKeyStore
+#ifdef __cplusplus
+extern "C" {
+#endif
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_PBKDF2_SALT_SIZE
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_PBKDF2_SALT_SIZE 16L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_PBKDF2_MIN_ITERATIONS
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_PBKDF2_MIN_ITERATIONS 10000L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_PBKDF2_DEFAULT_ITERATIONS
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_PBKDF2_DEFAULT_ITERATIONS 210000L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENC_IV_LENGTH
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENC_IV_LENGTH 16L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENC_KEY_LENGTH
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENC_KEY_LENGTH 32L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_HMAC_KEY_LENGTH
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_HMAC_KEY_LENGTH 64L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_DEFAULT_MAX_CHAIN_COUNT
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_DEFAULT_MAX_CHAIN_COUNT 100L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_MAGIC_NUMBER
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_MAGIC_NUMBER 7L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_STORE_VERSION
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_STORE_VERSION 1L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENTRY_ID_PRIVATE_KEY
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENTRY_ID_PRIVATE_KEY 1L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENTRY_ID_CERTIFICATE
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENTRY_ID_CERTIFICATE 2L
+#undef com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENTRY_ID_SECRET_KEY
+#define com_wolfssl_provider_jce_WolfSSLKeyStore_WKS_ENTRY_ID_SECRET_KEY 3L
+/*
+ * Class:     com_wolfssl_provider_jce_WolfSSLKeyStore
+ * Method:    X509CheckPrivateKey
+ * Signature: ([B[B)Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_provider_jce_WolfSSLKeyStore_X509CheckPrivateKey
+  (JNIEnv *, jobject, jbyteArray, jbyteArray);
+
+#ifdef __cplusplus
+}
+#endif
+#endif

jni/include/com_wolfssl_wolfcrypt_Asn.h

@@ -9,6 +9,46 @@ extern "C" {
 #endif
 #undef com_wolfssl_wolfcrypt_Asn_MAX_ENCODED_SIG_SIZE
 #define com_wolfssl_wolfcrypt_Asn_MAX_ENCODED_SIG_SIZE 512L
+/*
+ * Class:     com_wolfssl_wolfcrypt_Asn
+ * Method:    getDSAk
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Asn_getDSAk
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_Asn
+ * Method:    getRSAk
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Asn_getRSAk
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_Asn
+ * Method:    getRSAPSSk
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Asn_getRSAPSSk
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_Asn
+ * Method:    getRSAESOAEPk
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Asn_getRSAESOAEPk
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_Asn
+ * Method:    getECDSAk
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Asn_getECDSAk
+  (JNIEnv *, jclass);
+
 /*
  * Class:     com_wolfssl_wolfcrypt_Asn
  * Method:    encodeSignature
@@ -33,6 +73,14 @@ JNIEXPORT jlong JNICALL Java_com_wolfssl_wolfcrypt_Asn_encodeSignature___3B_3BJI
 JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Asn_getCTC_1HashOID
   (JNIEnv *, jclass, jint);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_Asn
+ * Method:    getPkcs8AlgoID
+ * Signature: ([B)I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Asn_getPkcs8AlgoID
+  (JNIEnv *, jclass, jbyteArray);
+
 #ifdef __cplusplus
 }
 #endif

jni/include/com_wolfssl_wolfcrypt_FeatureDetect.h

@@ -55,6 +55,22 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Sha384Enable
 JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Sha512Enabled
   (JNIEnv *, jclass);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    Sha3Enabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Sha3Enabled
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    AesEnabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_AesEnabled
+  (JNIEnv *, jclass);
+
 /*
  * Class:     com_wolfssl_wolfcrypt_FeatureDetect
  * Method:    Aes128Enabled
@@ -111,6 +127,22 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_AesGcmStream
 JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Des3Enabled
   (JNIEnv *, jclass);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    ChaChaEnabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_ChaChaEnabled
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    HmacEnabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_HmacEnabled
+  (JNIEnv *, jclass);
+
 /*
  * Class:     com_wolfssl_wolfcrypt_FeatureDetect
  * Method:    HmacMd5Enabled
@@ -191,6 +223,14 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_HmacSha3_138
 JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_HmacSha3_1512Enabled
   (JNIEnv *, jclass);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    Pbkdf1Enabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Pbkdf1Enabled
+  (JNIEnv *, jclass);
+
 /*
  * Class:     com_wolfssl_wolfcrypt_FeatureDetect
  * Method:    Pbkdf2Enabled
@@ -199,6 +239,14 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_HmacSha3_151
 JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Pbkdf2Enabled
   (JNIEnv *, jclass);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    Pkcs12PbkdfEnabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Pkcs12PbkdfEnabled
+  (JNIEnv *, jclass);
+
 /*
  * Class:     com_wolfssl_wolfcrypt_FeatureDetect
  * Method:    RsaEnabled
@@ -247,6 +295,22 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_EccKeyGenEna
 JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_EccDheEnabled
   (JNIEnv *, jclass);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    Curve25519Enabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Curve25519Enabled
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    Ed25519Enabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Ed25519Enabled
+  (JNIEnv *, jclass);
+
 #ifdef __cplusplus
 }
 #endif

jni/include/com_wolfssl_wolfcrypt_Hmac.h

@@ -73,6 +73,14 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeMd5
 JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeSha
   (JNIEnv *, jclass);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_Hmac
+ * Method:    getCodeSha224
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeSha224
+  (JNIEnv *, jclass);
+
 /*
  * Class:     com_wolfssl_wolfcrypt_Hmac
  * Method:    getCodeSha256
@@ -105,6 +113,38 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeSha512
 JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeBlake2b
   (JNIEnv *, jclass);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_Hmac
+ * Method:    getCodeSha3_224
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeSha3_1224
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_Hmac
+ * Method:    getCodeSha3_256
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeSha3_1256
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_Hmac
+ * Method:    getCodeSha3_384
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeSha3_1384
+  (JNIEnv *, jclass);
+
+/*
+ * Class:     com_wolfssl_wolfcrypt_Hmac
+ * Method:    getCodeSha3_512
+ * Signature: ()I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Hmac_getCodeSha3_1512
+  (JNIEnv *, jclass);
+
 /*
  * Class:     com_wolfssl_wolfcrypt_Hmac
  * Method:    mallocNativeStruct