utilities for generic SetKey and ExportKey operations on HMAC, RSA, ECC,
and AES. Add wc_ecc_size/wc_ecc_sig_size callback hooks for hardware-only
keys. Integrate into configure.ac as --enable-cryptocbutils=setkey,export
options with CI test configurations in os-check.yml.
Add test handlers in test.c and api.c with export/import delegation
pattern, small-stack-safe allocations, custom curve support, and
DEBUG_CRYPTOCB helpers.
- se050_rsa_verify: when the function uploads only the public part of the key (keyCreated == 1), erase the transient SE050 object and don't persist keyIdSet = 1. A subsequent sign on the same RsaKey was reusing the public-only SE050 object and failing. Pre-existing bindings (from wc_RsaUseKeyId or a prior sign that uploaded a keypair) are preserved untouched.
- rsa_keygen_test: add WOLFSSL_SE050 to the existing WOLFSSL_CRYPTOCELL guard around the export-then-decode round-trip. SE050-generated keys keep their private components in the secure element, so wc_RsaKeyToDer + wc_RsaPrivateKeyDecode cannot complete. Matching guard on the idx declaration to avoid an unused-variable warning.
- se050_ed25519_verify_msg: initialize *res = 0 at entry so failures don't leak a stale res = 1 from a prior good verify.
- Ed25519 import functions: reset keyIdSet / keyId under WOLFSSL_SE050 in wc_ed25519_import_private_key_ex, wc_ed25519_import_private_only, wc_ed25519_import_public_ex so overwriting host-side key material invalidates any prior SE050 object binding.
- New workflow .github/workflows/se050-sim.yml: builds wolfSSL against the NXP Plug&Trust SDK and runs the wolfCrypt tests against the SE050Sim simulator. Patches the upstream Dockerfile to use the PR's wolfSSL source.
- ed25519_test SE050 adjustments:
- Cap the RFC 8032 loop at 5 iters — iter 5's 1023 B msg exceeds NXP SDK SE05X_TLV_BUF_SIZE_CMD = 900.
- rareEd verifies and private-only sign: expect WC_HW_E (SE050 delegates malformed-input rejection to the secure element) instead of BAD_FUNC_ARG / SIG_VERIFY_E.
- Skip ed25519ctx_test / ed25519ph_test — SE050 port drops the context/prehash params so RFC 8032 ctx/ph vectors can't byte-match.
This update introduces the WOLFSSL_DILITHIUM_DYNAMIC_KEYS option, allowing
for dynamic memory allocation of public and private key buffers. This change
reduces memory usage by allocating buffers only when needed.
Add NULL and bounds validation to public API entry points that
were missing basic argument checks. Fixes span ALPN, session cache,
X509, SRP, PrivateKey ID/Label, and OBJ_obj2txt.