From a91d62e75beff787040b3a18b5a4be68b639b23b Mon Sep 17 00:00:00 2001
From: Andrew Hutchings <andrew@linuxjedi.co.uk>
Date: Thu, 3 Jul 2025 13:33:05 +0100
Subject: [PATCH] Add a patch to make wolfPKCS11 the default in NSS

---
 nss/README.md         |  5 +++++
 nss/nss-default.patch | 28 ++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 nss/nss-default.patch

diff --git a/nss/README.md b/nss/README.md
index eef425cb..2ec378b9 100644
--- a/nss/README.md
+++ b/nss/README.md
@@ -20,6 +20,11 @@ test the PKCS11 layer to see which curves are supported.
 NSS assumes that it is using a two-slot PKCS11 backend for non-FIPS by default.
 This patch falls back to one slot if a second slot is not found.
 
+### nss-default.patch
+
+This makes wolfPCKS11 the default provider for NSS, even if it is not explicitly
+specified.
+
 ## Compiling
 
 ### NSS
diff --git a/nss/nss-default.patch b/nss/nss-default.patch
new file mode 100644
index 00000000..c2b8e859
--- /dev/null
+++ b/nss/nss-default.patch
@@ -0,0 +1,28 @@
+diff --git a/lib/util/utilparst.h b/lib/util/utilparst.h
+index 5dda09028..39e4f55c9 100644
+--- a/lib/util/utilparst.h
++++ b/lib/util/utilparst.h
+@@ -37,7 +37,7 @@
+ 
+ /* default module configuration strings */
+ #define NSSUTIL_DEFAULT_INTERNAL_INIT1 \
+-    "library= name=\"NSS Internal PKCS #11 Module\" parameters="
++    "library=libwolfpkcs11.so.3.1.0 name=wolfPKCS11 parameters="
+ #define NSSUTIL_DEFAULT_INTERNAL_INIT2 \
+     " NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={"
+ #define NSSUTIL_DEFAULT_INTERNAL_INIT3 \
+diff --git a/tests/common/init.sh b/tests/common/init.sh
+index cdf0a3c72..174a95bd0 100644
+--- a/tests/common/init.sh
++++ b/tests/common/init.sh
+@@ -342,8 +342,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+       outdir="$2"
+       OUTFILE="${outdir}/pkcs11.txt"
+       cat > "$OUTFILE" << ++EOF++
+-library=
+-name=NSS Internal PKCS #11 Module
++library=libwolfpkcs11.so.3.1.0
++name=wolfPKCS11
+ parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+ NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+ ++EOF++