(Loose Implementation plan)
Context
wolfCOSE already has ~20 individual WOLFCOSE_NO_* opt-out macros, but users targeting constrained IoT devices must manually define 8+ macros to get a
minimal build. This adds a single convenience macro (WOLFCOSE_LEAN) that bundles the smallest useful COSE + CBOR configuration, plus a
WOLFCOSE_LEAN_VERIFY variant for verify-only builds (the most common firmware-update use case).
Changes
- include/wolfcose/wolfcose.h — Add convenience profile blocks
Insert before the existing feature gate section (line 59), after extern "C":
/* === Convenience profiles === */
#ifdef WOLFCOSE_LEAN_VERIFY
/* Verify-only implies lean /
#ifndef WOLFCOSE_LEAN
#define WOLFCOSE_LEAN
#endif
/ Disable signing and CBOR encoding */
#define WOLFCOSE_NO_SIGN1_SIGN
#define WOLFCOSE_NO_CBOR_ENCODE
#endif
#ifdef WOLFCOSE_LEAN
/* Keep only SIGN1; disable everything else */
#define WOLFCOSE_NO_ENCRYPT0
#define WOLFCOSE_NO_MAC0
#define WOLFCOSE_NO_SIGN
#define WOLFCOSE_NO_ENCRYPT
#define WOLFCOSE_NO_MAC
#define WOLFCOSE_NO_RECIPIENTS
#define WOLFCOSE_NO_KEY_ENCODE
#define WOLFCOSE_NO_KEY_DECODE
/* Tighter limits for constrained devices (user can still override) */
#ifndef WOLFCOSE_MAX_SCRATCH_SZ
#define WOLFCOSE_MAX_SCRATCH_SZ 256
#endif
#ifndef WOLFCOSE_PROTECTED_HDR_MAX
#define WOLFCOSE_PROTECTED_HDR_MAX 32
#endif
#ifndef WOLFCOSE_CBOR_MAX_DEPTH
#define WOLFCOSE_CBOR_MAX_DEPTH 4
#endif
#ifndef WOLFCOSE_MAX_MAP_ITEMS
#define WOLFCOSE_MAX_MAP_ITEMS 8
#endif
#ifndef WOLFCOSE_MAX_SIG_SZ
#define WOLFCOSE_MAX_SIG_SZ 72
#endif
#endif /* WOLFCOSE_LEAN */
What stays enabled:
- WOLFCOSE_LEAN: Sign1 sign+verify, CBOR encode+decode, key init/set/free
- WOLFCOSE_LEAN_VERIFY: Sign1 verify only, CBOR decode only, key init/set/free
Reduced limits rationale:
- MAX_SCRATCH_SZ 256: ES256 Sig_structure fits easily; 512 was for encryption AAD
- PROTECTED_HDR_MAX 32: {1: -7} (alg=ES256) is 4 CBOR bytes; 32 is generous
- CBOR_MAX_DEPTH 4: Sign1 nests tag->array->leaves = 3 levels
- MAX_MAP_ITEMS 8: Protected+unprotected headers rarely exceed 3-4 items
- MAX_SIG_SZ 72: ES256 raw sig = 64 bytes + margin (ES384/512/RSA need explicit override)
Estimated code exclusion: ~4,555 of 6,232 lines in wolfcose.c are behind gates that LEAN disables. Active COSE code drops to ~1,500 lines (shared helpers
- Makefile — Add lean and lean-verify targets
Add to .PHONY line and add new targets:
lean: clean
$(CC) $(CFLAGS) -DWOLFCOSE_LEAN -c src/wolfcose_cbor.c -o src/wolfcose_cbor.
$(CC) $(CFLAGS) -DWOLFCOSE_LEAN -c src/wolfcose.c -o src/wolfcose.
$(AR) rcs $(LIB_A) $(OBJ
@echo "=== Lean build complete (Sign1 only) ===
@SiZe $(LIB_A) || tru
lean-verify: clean
$(CC) $(CFLAGS) -DWOLFCOSE_LEAN_VERIFY -c src/wolfcose_cbor.c -o src/wolfcose_cbor.
$(CC) $(CFLAGS) -DWOLFCOSE_LEAN_VERIFY -c src/wolfcose.c -o src/wolfcose.
$(AR) rcs $(LIB_A) $(OBJ
@echo "=== Lean verify-only build complete ===
@SiZe $(LIB_A) || tru
- .github/workflows/minimal-build.yml — Add CI entries
Add two matrix entries and pass extra_cflags through build/test steps:
-
name: Lean (Sign1 only)
wolfssl_flags: "--enable-cryptonly --enable-ecc --enable-keygen"
cache_key: wolfssl-lean-v1
extra_cflags: "-DWOLFCOSE_LEAN"
-
name: Lean Verify-only
wolfssl_flags: "--enable-cryptonly --enable-ecc"
cache_key: wolfssl-lean-verify-v1
extra_cflags: "-DWOLFCOSE_LEAN_VERIFY"
Append ${{ matrix.extra_cflags || '' }} to CFLAGS in all three build steps. Skip tool-test for LEAN_VERIFY (signing disabled).
- README.md — Document lean builds
Add "Lean Build" subsection after the existing "Build" section and add lean/lean-verify to the Build Targets table.
(Loose Implementation plan)
Context
wolfCOSE already has ~20 individual WOLFCOSE_NO_* opt-out macros, but users targeting constrained IoT devices must manually define 8+ macros to get a
minimal build. This adds a single convenience macro (WOLFCOSE_LEAN) that bundles the smallest useful COSE + CBOR configuration, plus a
WOLFCOSE_LEAN_VERIFY variant for verify-only builds (the most common firmware-update use case).
Changes
Insert before the existing feature gate section (line 59), after extern "C":
/* === Convenience profiles === */
#ifdef WOLFCOSE_LEAN_VERIFY
/* Verify-only implies lean /
#ifndef WOLFCOSE_LEAN
#define WOLFCOSE_LEAN
#endif
/ Disable signing and CBOR encoding */
#define WOLFCOSE_NO_SIGN1_SIGN
#define WOLFCOSE_NO_CBOR_ENCODE
#endif
#ifdef WOLFCOSE_LEAN
/* Keep only SIGN1; disable everything else */
#define WOLFCOSE_NO_ENCRYPT0
#define WOLFCOSE_NO_MAC0
#define WOLFCOSE_NO_SIGN
#define WOLFCOSE_NO_ENCRYPT
#define WOLFCOSE_NO_MAC
#define WOLFCOSE_NO_RECIPIENTS
#define WOLFCOSE_NO_KEY_ENCODE
#define WOLFCOSE_NO_KEY_DECODE
#endif /* WOLFCOSE_LEAN */
What stays enabled:
Reduced limits rationale:
Estimated code exclusion: ~4,555 of 6,232 lines in wolfcose.c are behind gates that LEAN disables. Active COSE code drops to ~1,500 lines (shared helpers
Add to .PHONY line and add new targets:
lean: clean
$(CC) $ (CFLAGS) -DWOLFCOSE_LEAN -c src/wolfcose_cbor.c -o src/wolfcose_cbor.
$(CC) $ (CFLAGS) -DWOLFCOSE_LEAN -c src/wolfcose.c -o src/wolfcose.
$(AR) rcs $ (LIB_A) $(OBJ
@echo "=== Lean build complete (Sign1 only) ===
@SiZe $(LIB_A) || tru
lean-verify: clean
$(CC) $ (CFLAGS) -DWOLFCOSE_LEAN_VERIFY -c src/wolfcose_cbor.c -o src/wolfcose_cbor.
$(CC) $ (CFLAGS) -DWOLFCOSE_LEAN_VERIFY -c src/wolfcose.c -o src/wolfcose.
$(AR) rcs $ (LIB_A) $(OBJ
@echo "=== Lean verify-only build complete ===
@SiZe $(LIB_A) || tru
Add two matrix entries and pass extra_cflags through build/test steps:
name: Lean (Sign1 only)
wolfssl_flags: "--enable-cryptonly --enable-ecc --enable-keygen"
cache_key: wolfssl-lean-v1
extra_cflags: "-DWOLFCOSE_LEAN"
name: Lean Verify-only
wolfssl_flags: "--enable-cryptonly --enable-ecc"
cache_key: wolfssl-lean-verify-v1
extra_cflags: "-DWOLFCOSE_LEAN_VERIFY"
Append ${{ matrix.extra_cflags || '' }} to CFLAGS in all three build steps. Skip tool-test for LEAN_VERIFY (signing disabled).
Add "Lean Build" subsection after the existing "Build" section and add lean/lean-verify to the Build Targets table.