From 2ff81a4de8fc6f8738fee4365bb6cb8a61cdfb71 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Thu, 18 Jun 2026 13:49:26 +0100 Subject: [PATCH 1/2] Use FIPS-compliant length user PIN in tests Seven tests used the 11-byte user PIN "someUserPin", which is below the 14-byte HMAC key minimum (HMAC_FIPS_MIN_KEY) that FIPS enforces on the PBKDF2 PIN hash. Under a FIPS + NSS build C_InitPIN therefore failed with CKR_FUNCTION_FAILED for these tests. None of them exercise short-PIN behaviour, so switch to the suite's standard 15-byte user PIN "wolfpkcs11-test" (updating the hardcoded userPinLen to match). The FIPS HMAC minimum is deliberate, so the tests are brought into compliance rather than weakening the PIN hash to accept short keys. --- tests/aes_cbc_pad_padding_test.c | 4 ++-- tests/aes_keygen_attrs_test.c | 4 ++-- tests/ecb_check_value_error_test.c | 4 ++-- tests/find_objects_null_template_test.c | 4 ++-- tests/operation_active_test.c | 4 ++-- tests/pbkdf2_keygen_attrs_test.c | 4 ++-- tests/pkcs11_compliance_test.c | 6 +++--- 7 files changed, 15 insertions(+), 15 deletions(-) diff --git a/tests/aes_cbc_pad_padding_test.c b/tests/aes_cbc_pad_padding_test.c index dbdfe0be..2dbf811b 100644 --- a/tests/aes_cbc_pad_padding_test.c +++ b/tests/aes_cbc_pad_padding_test.c @@ -76,8 +76,8 @@ static CK_SLOT_ID slot = 0; static const char* tokenName = "wolfpkcs11"; static byte* soPin = (byte*)"password123456"; static int soPinLen = 14; -static byte* userPin = (byte*)"someUserPin"; -static int userPinLen = 11; +static byte* userPin = (byte*)"wolfpkcs11-test"; +static int userPinLen = 15; static CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; static CK_BBOOL ckTrue = CK_TRUE; diff --git a/tests/aes_keygen_attrs_test.c b/tests/aes_keygen_attrs_test.c index 2e203955..3635a30f 100644 --- a/tests/aes_keygen_attrs_test.c +++ b/tests/aes_keygen_attrs_test.c @@ -73,8 +73,8 @@ static CK_SLOT_ID slot = 0; static const char* tokenName = "wolfpkcs11"; static byte* soPin = (byte*)"password123456"; static int soPinLen = 14; -static byte* userPin = (byte*)"someUserPin"; -static int userPinLen = 11; +static byte* userPin = (byte*)"wolfpkcs11-test"; +static int userPinLen = 15; static CK_RV pkcs11_init(void) { diff --git a/tests/ecb_check_value_error_test.c b/tests/ecb_check_value_error_test.c index e04a9b73..e41ad1f6 100644 --- a/tests/ecb_check_value_error_test.c +++ b/tests/ecb_check_value_error_test.c @@ -77,8 +77,8 @@ static CK_SLOT_ID slot = 0; static const char* tokenName = "wolfpkcs11"; static byte* soPin = (byte*)"password123456"; static int soPinLen = 14; -static byte* userPin = (byte*)"someUserPin"; -static int userPinLen = 11; +static byte* userPin = (byte*)"wolfpkcs11-test"; +static int userPinLen = 15; static CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; static CK_BBOOL ckTrue = CK_TRUE; diff --git a/tests/find_objects_null_template_test.c b/tests/find_objects_null_template_test.c index 84fb1022..a0413488 100644 --- a/tests/find_objects_null_template_test.c +++ b/tests/find_objects_null_template_test.c @@ -74,8 +74,8 @@ static CK_SLOT_ID slot = 0; static const char* tokenName = "wolfpkcs11"; static byte* soPin = (byte*)"password123456"; static int soPinLen = 14; -static byte* userPin = (byte*)"someUserPin"; -static int userPinLen = 11; +static byte* userPin = (byte*)"wolfpkcs11-test"; +static int userPinLen = 15; static CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; static CK_OBJECT_CLASS dataClass = CKO_DATA; diff --git a/tests/operation_active_test.c b/tests/operation_active_test.c index 94216013..eebe7df5 100644 --- a/tests/operation_active_test.c +++ b/tests/operation_active_test.c @@ -74,8 +74,8 @@ static CK_SLOT_ID slot = 0; static const char* tokenName = "wolfpkcs11"; static byte* soPin = (byte*)"password123456"; static int soPinLen = 14; -static byte* userPin = (byte*)"someUserPin"; -static int userPinLen = 11; +static byte* userPin = (byte*)"wolfpkcs11-test"; +static int userPinLen = 15; static CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; static CK_BBOOL ckTrue = CK_TRUE; diff --git a/tests/pbkdf2_keygen_attrs_test.c b/tests/pbkdf2_keygen_attrs_test.c index 29d10713..342c4611 100644 --- a/tests/pbkdf2_keygen_attrs_test.c +++ b/tests/pbkdf2_keygen_attrs_test.c @@ -73,8 +73,8 @@ static CK_SLOT_ID slot = 0; static const char* tokenName = "wolfpkcs11"; static byte* soPin = (byte*)"password123456"; static int soPinLen = 14; -static byte* userPin = (byte*)"someUserPin"; -static int userPinLen = 11; +static byte* userPin = (byte*)"wolfpkcs11-test"; +static int userPinLen = 15; static CK_RV pkcs11_init(void) { diff --git a/tests/pkcs11_compliance_test.c b/tests/pkcs11_compliance_test.c index 360a066d..5c1d41ce 100644 --- a/tests/pkcs11_compliance_test.c +++ b/tests/pkcs11_compliance_test.c @@ -1093,7 +1093,7 @@ static void test_3144_private_create_requires_login(void) CK_OBJECT_HANDLE privKey = CK_INVALID_HANDLE; CK_UTF8CHAR label[32]; CK_BYTE soPin[] = "password123456"; - CK_BYTE userPin[] = "someUserPin"; + CK_BYTE userPin[] = "wolfpkcs11-test"; CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; CK_KEY_TYPE genericKeyType = CKK_GENERIC_SECRET; CK_BBOOL ckTrue = CK_TRUE; @@ -1276,7 +1276,7 @@ static void test_2370_private_default(void) CK_OBJECT_HANDLE pubKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE privKey = CK_INVALID_HANDLE; CK_BYTE soPin[] = "password123456"; - CK_BYTE userPin[] = "someUserPin"; + CK_BYTE userPin[] = "wolfpkcs11-test"; CK_UTF8CHAR label[32]; CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; CK_OBJECT_CLASS pubKeyClass = CKO_PUBLIC_KEY; @@ -1429,7 +1429,7 @@ static void test_2774_wrap_default(void) CK_OBJECT_HANDLE rsaPriv = CK_INVALID_HANDLE; #endif CK_BYTE soPin[] = "password123456"; - CK_BYTE userPin[] = "someUserPin"; + CK_BYTE userPin[] = "wolfpkcs11-test"; CK_UTF8CHAR label[32]; CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; CK_KEY_TYPE aesKeyType = CKK_AES; From 6e4796c0ede0e6db5eb23a6a996d12a6268f42b5 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Thu, 18 Jun 2026 13:49:39 +0100 Subject: [PATCH 2/2] Bump Debian changelog to 2.1.0 configure.ac is already at 2.1.0; add the matching debian/changelog entry so the package version tracks the release. --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 75b75da6..d15065ce 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +wolfpkcs11 (2.1.0) stable; urgency=medium + + * For a full changelog see + https://github.com/wolfSSL/wolfPKCS11/blob/master/README.md + + -- wolfSSL Thu, 18 Jun 2026 12:39:59 +0000 + wolfpkcs11 (2.0.0) stable; urgency=medium * For a full changelog see