wolfSSL · bigbrett · May 4, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/docs/draft/auth.md b/docs/draft/auth.md
diff --git a/docs/draft/certificates.md b/docs/draft/certificates.md
diff --git a/src/wh_client_cert.c b/src/wh_client_cert.c
@@ -669,6 +669,65 @@ int wh_Client_CertVerifyMultiRootAndCacheLeafPubKey(
                                 inout_keyId, out_rc);
 }
 
+#ifdef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE
+int wh_Client_CertVerifyCacheClearRequest(whClientContext* c)
+{
+    if (c == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+    return wh_Client_SendRequest(c, WH_MESSAGE_GROUP_CERT,
+                                 WH_MESSAGE_CERT_ACTION_VERIFY_CACHE_CLEAR, 0,
+                                 NULL);
+}
+
+int wh_Client_CertVerifyCacheClearResponse(whClientContext* c, int32_t* out_rc)
+{
+    int                          rc;
+    uint16_t                     group;
+    uint16_t                     action;
+    uint16_t                     size;
+    whMessageCert_SimpleResponse resp;
+
+    if (c == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+
+    rc = wh_Client_RecvResponse(c, &group, &action, &size, &resp);
+    if (rc == WH_ERROR_OK) {
+        if ((group != WH_MESSAGE_GROUP_CERT) ||
+            (action != WH_MESSAGE_CERT_ACTION_VERIFY_CACHE_CLEAR) ||
+            (size != sizeof(resp))) {
+            rc = WH_ERROR_ABORTED;
+        }
+        else if (out_rc != NULL) {
+            *out_rc = resp.rc;
+        }
+    }
+    return rc;
+}
+
+int wh_Client_CertVerifyCacheClear(whClientContext* c, int32_t* out_rc)
+{
+    int rc = WH_ERROR_OK;
+
+    if (c == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+
+    do {
+        rc = wh_Client_CertVerifyCacheClearRequest(c);
+    } while (rc == WH_ERROR_NOTREADY);
+
+    if (rc == WH_ERROR_OK) {
+        do {
+            rc = wh_Client_CertVerifyCacheClearResponse(c, out_rc);
+        } while (rc == WH_ERROR_NOTREADY);
+    }
+
+    return rc;
+}
+#endif /* WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE */
+
 #ifdef WOLFHSM_CFG_DMA
 
 int wh_Client_CertAddTrustedDmaRequest(whClientContext* c, whNvmId id,

diff --git a/src/wh_nvm.c b/src/wh_nvm.c
@@ -104,20 +104,40 @@ int wh_Nvm_Init(whNvmContext* context, const whNvmConfig* config)
     memset(&context->globalCache, 0, sizeof(context->globalCache));
 #endif
 
+#ifdef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL
+    /* Initialize the global cert verify cache */
+    memset(&context->globalCertVerifyCache, 0,
+           sizeof(context->globalCertVerifyCache));
+#endif
+
 #ifdef WOLFHSM_CFG_THREADSAFE
     /* Initialize lock (NULL lockConfig = no-op locking) */
     rc = wh_Lock_Init(&context->lock, config->lockConfig);
     if (rc != WH_ERROR_OK) {
         return rc;
     }
+#ifdef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL
+    /* Initialize the global cert verify cache lock. Distinct lock from the
+     * NVM lock so cert-cache traffic and NVM I/O don't serialize each other.
+     * NULL config => no-op locking, same as the NVM lock above. */
+    rc = wh_Lock_Init(&context->globalCertVerifyCache.lock,
+                      config->certVerifyCacheLockConfig);
+    if (rc != WH_ERROR_OK) {
+        (void)wh_Lock_Cleanup(&context->lock);
+        return rc;
+    }
 #endif
+#endif /* WOLFHSM_CFG_THREADSAFE */
 
     if (context->cb != NULL && context->cb->Init != NULL) {
         rc = context->cb->Init(context->context, config->config);
         if (rc != WH_ERROR_OK) {
             context->cb = NULL;
             context->context = NULL;
 #ifdef WOLFHSM_CFG_THREADSAFE
+#ifdef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL
+            (void)wh_Lock_Cleanup(&context->globalCertVerifyCache.lock);
+#endif
             (void)wh_Lock_Cleanup(&context->lock);
 #endif
         }
@@ -140,6 +160,14 @@ int wh_Nvm_Cleanup(whNvmContext* context)
     memset(&context->globalCache, 0, sizeof(context->globalCache));
 #endif
 
+#ifdef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL
+    /* Clear cache slots/writeIdx but keep the embedded lock intact until its
+     * own cleanup below. */
+    memset(context->globalCertVerifyCache.slots, 0,
+           sizeof(context->globalCertVerifyCache.slots));
+    context->globalCertVerifyCache.writeIdx = 0;
+#endif
+
     /* No callback? Return ABORTED */
     if (context->cb->Cleanup == NULL) {
         rc = WH_ERROR_ABORTED;
@@ -149,6 +177,9 @@ int wh_Nvm_Cleanup(whNvmContext* context)
     }
 
 #ifdef WOLFHSM_CFG_THREADSAFE
+#ifdef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL
+    (void)wh_Lock_Cleanup(&context->globalCertVerifyCache.lock);
+#endif
     (void)wh_Lock_Cleanup(&context->lock);
 #endif
 

diff --git a/src/wh_server.c b/src/wh_server.c
@@ -122,6 +122,14 @@ int wh_Server_Init(whServerContext* server, whServerConfig* config)
     }
 #endif /* WOLFHSM_CFG_DMA */
 
+#if defined(WOLFHSM_CFG_CERTIFICATE_MANAGER) && !defined(WOLFHSM_CFG_NO_CRYPTO)
+    /* Register the user-supplied verify callback, if any. The cache (if
+     * compiled in) is already zero-initialized by the memset above. */
+    if (config->certConfig != NULL) {
+        server->cert.verifyCb = config->certConfig->verifyCb;
+    }
+#endif /* WOLFHSM_CFG_CERTIFICATE_MANAGER && !WOLFHSM_CFG_NO_CRYPTO */
+
     /* Log the server startup */
     WH_LOG(&server->log, WH_LOG_LEVEL_INFO, "Server Initialized");