wolfSSL releases a new product; wolfCOSE a zero alloc C embbedded COSE stack

WolfSSL has released wolfCOSE, a zero-allocation C library implementing CBOR and COSE standards using wolfSSL as its cryptographic backend. The library supports all six RFC 9052 message types, 40 algorithms including post-quantum ML-DSA signing, and operates with a 7.5 KB minimal footprint while requiring less than 1 KB of RAM for full COSE lifecycle operations. The release provides a path to FIPS 140-3 certification through wolfCrypt and targets embedded systems requiring lightweight, deterministic cryptographic messaging.

wolfCOSE is a lightweight C library implementing CBOR RFC 8949 https://www.rfc-editor.org/rfc/rfc8949 and COSE RFC 9052/9053 https://www.rfc-editor.org/rfc/rfc9052 using wolfSSL https://www.wolfssl.com/ as the crypto backend. Complete RFC 9052 message set : all six COSE message types, including multi-signer COSE Sign and multi-recipient COSE Encrypt / COSE Mac Post-quantum signing : ML-DSA Dilithium at all three security levels 40 algorithms across signing, encryption, MAC, and key distribution Zero dynamic allocation : all operations use caller-provided buffers Tiny footprint : 7.5 KB .text minimal build Sign1+ECC , 25.6 KB full 40 algorithms , zero .data / .bss Full COSE lifecycle in ~<1KB RAM excluding wolfCrypt internals Path to FIPS 140-3 via wolfCrypt FIPS Certificate 4718 sole crypto dependency Signing: ES256, ES384, ES512, EdDSA Ed25519/Ed448 , PS256/384/512, ML-DSA-44/65/87 Encryption: AES-GCM 128/192/256 , ChaCha20-Poly1305, AES-CCM variants MAC: HMAC-SHA256/384/512, AES-MAC Key Distribution: Direct, AES Key Wrap, ECDH-ES+HKDF wolfCOSE has implemented all RFC 9052 messages both single-actor and multi-actor variants: | Message | RFC 9052 | API | Purpose | |---|---|---|---| COSE Sign1 | Sec. 4.2 | wc CoseSign1 Sign / wc CoseSign1 Verify | Single-signer signature | COSE Sign | Sec. 4.1 | wc CoseSign Sign / wc CoseSign Verify | Multi-signer independent signatures over the same payload | COSE Encrypt0 | Sec. 5.2 | wc CoseEncrypt0 Encrypt / wc CoseEncrypt0 Decrypt | Single-recipient AEAD | COSE Encrypt | Sec. 5.1 | wc CoseEncrypt Encrypt / wc CoseEncrypt Decrypt | Multi-recipient one ciphertext, many recipients via Direct / AES-KW / ECDH-ES | COSE Mac0 | Sec. 6.2 | wc CoseMac0 Create / wc CoseMac0 Verify | Single-recipient MAC | COSE Mac | Sec. 6.1 | wc CoseMac Create / wc CoseMac Verify | Multi-recipient MAC shared MAC key, distributed to recipients | COSE Key / COSE KeySet | Sec. 7 | wc CoseKey Encode / wc CoseKey Decode | Key serialization for all key types | wolfCOSE requires wolfSSL https://www.wolfssl.com/ as its crypto backend. Minimum supported version: v5.8.0-stable first release with the public wc ForceZero symbol alongside the FIPS 204 final ML-DSA and context-aware wc dilithium ctx msg APIs . Older 5.x releases can technically be supported but require source-level changes; contact wolfSSL https://www.wolfssl.com/contact/ for commercial support. Choose a build configuration based on the algorithms you need. This gives you COSE Sign1 ES256/384/512 and Encrypt0 AES-GCM : cd wolfssl ./autogen.sh ./configure --enable-ecc --enable-aesgcm \ --enable-sha384 --enable-sha512 --enable-keygen make && sudo make install sudo ldconfig Algorithms enabled: ES256, ES384, ES512, AES-GCM-128/192/256 For pure post-quantum signing with ML-DSA-44/65/87: cd wolfssl ./autogen.sh ./configure --enable-cryptonly --enable-dilithium make && sudo make install sudo ldconfig Algorithms enabled: ML-DSA-44, ML-DSA-65, ML-DSA-87 SHAKE-128/256 are pulled in automatically by --enable-dilithium . cd wolfssl ./autogen.sh ./configure --enable-ecc --enable-ed25519 --enable-ed448 \ --enable-curve25519 --enable-aesgcm --enable-aesccm \ --enable-sha384 --enable-sha512 --enable-keygen \ --enable-rsapss --enable-chacha --enable-poly1305 \ --enable-dilithium --enable-hkdf --enable-aeskeywrap make && sudo make install sudo ldconfig Core library libwolfcose.a make Run unit tests make test Build and run CLI tool round-trip tests all algorithms make tool-test Run lifecycle demo 11 algorithms make demo | Target | Description | |---|---| make all | Build libwolfcose.a core library only | make shared | Build libwolfcose.so | make test | Build + run CBOR and COSE unit tests | make tool | Build CLI tool tools/wolfcose tool | make tool-test | Round-trip self-test for all 17 algorithms | make demo | Build + run lifecycle demo 11 algorithms | make clean | Remove all build artifacts | See examples/ for complete working code: sign1 demo.c , encrypt0 demo.c , mac0 demo.c : algorithm demos lifecycle demo.c : full edge-to-cloud workflow comprehensive/ : algorithm matrix tests scenarios/ : firmware signing, attestation, fleet config Runs on every push and PR: Build + Test : Ubuntu, macOS, GCC 10-14, Clang 14-18 Comprehensive Tests : ~240 algorithm combination tests Static Analysis : cppcheck, Clang analyzer, GCC -fanalyzer MISRA C 2012 : cppcheck --addon=misra checking all wolfCOSE code paths MISRA C 2023 : strict GCC warnings and clang-tidy bugprone- , cert- , clang-analyzer- , misc- Coverity Scan : nightly defect analysis Advanced Internal Static Analysis: Fenrir wolfssl advanced static analysis tools Code Coverage : 99.3% for wolfcose.c, 100% for wolfcose cbor.c make coverage Run tests with gcov make coverage-force-failure Include crypto failure path testing Full documentation is available in the Wiki https://github.com/aidangarske/wolfCOSE/wiki : Getting Started https://github.com/aidangarske/wolfCOSE/wiki/Getting-Started : Build instructions and first steps Message Types https://github.com/aidangarske/wolfCOSE/wiki/Message-Types : All six RFC 9052 messages Sign1, Sign, Encrypt0, Encrypt, Mac0, Mac with code samples Algorithms https://github.com/aidangarske/wolfCOSE/wiki/Algorithms : Complete list of 40 supported algorithms with COSE IDs API Reference https://github.com/aidangarske/wolfCOSE/wiki/API-Reference : Function signatures, data structures, error codes Macros https://github.com/aidangarske/wolfCOSE/wiki/Macros : Compile-time configuration options Testing https://github.com/aidangarske/wolfCOSE/wiki/Testing : Test infrastructure, coverage, and failure injection MISRA Compliance https://github.com/aidangarske/wolfCOSE/wiki/MISRA-Compliance : MISRA C:2012 and C:2023 compliance status and deviation rationale Project Structure https://github.com/aidangarske/wolfCOSE/wiki/Project-Structure : Source file layout Blogs and update can be found here: wolfCOSE is free software licensed under the GPLv3 https://www.gnu.org/licenses/gpl-3.0.html . Copyright C 2026 wolfSSL Inc. Note:While wolfCOSE is currently maintained by wolfSSL developers, it is not yet classified as an officially supported product. It was designed from the ground up to meet the same quality standards as the rest of the wolfSSL suite with future adoption in mind. We are eager to transition this to a fully supported product as demand grows; if your organization requires official support or has specific feature requirements or you just have general questions or guidance with product, please reach out. For commercial licensing, professional support contracts, or to discuss moving wolfCOSE into your production environment, contact wolfSSL https://www.wolfssl.com/contact/ .