Release wolfCOSE 1.0.0

[aidangarske]

Description

Release PR for wolfCOSE 1.0.0, the first stable release: a complete, zero-allocation CBOR (RFC 8949) + COSE (RFC 9052/9053) implementation on top of wolfCrypt.

This branch is rebuilt on top of current main, so it carries every hardening and fix that landed after the original release branch was cut. It adds only the release artifacts on top: include/wolfcose/version.h (1.0.0), ChangeLog.md, the README release-notes section, and the docs/ release notes.

Highlights

• All six COSE message types (RFC 9052) in single-actor and multi-actor forms: COSE_Sign1 / COSE_Sign (multi-signer), COSE_Encrypt0 / COSE_Encrypt (multi-recipient), COSE_Mac0 / COSE_Mac
• 40 algorithms: ES256/384/512, EdDSA (Ed25519/Ed448), PS256/384/512, AES-GCM/CCM, ChaCha20-Poly1305, HMAC, AES-MAC, Direct, AES Key Wrap, ECDH-ES+HKDF, and ML-DSA-44/65/87
• Standardized post-quantum ML-DSA per RFC 9964 (AKP key type) and full RFC 8230 RSA private keys (n, e, d, p, q, dP, dQ, qInv)
• Zero dynamic allocation, tiny footprint (ES256 Sign1 ~5.1 KB verify-only), MISRA C:2012/2023 checked
• LIBWOLFCOSE_VERSION_STRING / LIBWOLFCOSE_VERSION_HEX for compile-time version checks

Included since the original release branch (now folded into the 1.0.0 ChangeLog)

• API hardening: explicit WOLFCOSE_ALG_DIRECT required for COSE_Encrypt direct mode (zero-init algId rejected), wc_CBOR_PeekType NULL / end-of-buffer guarding with single-exit, const-qualified COSE_Encrypt0 key params
• COSE_Mac empty protected header for direct-key recipients; preferred CBOR length for RSA n / d
• Verify-only lean ECC builds that link against sign-disabled wolfCrypt (NO_ECC_SIGN, NO_ASN, no mp_int)
• Security/CI gates: CodeQL, Semgrep, house-style, Coverity DEADCODE cleanup; expanded negative/boundary tests (4 KB large-payload round-trips, CBOR integer width boundaries, pinned MAC tag lengths, AES-CBC-MAC IV-chaining tamper checks)

Validation

• Built and tested locally against wolfSSL 5.9.2-stable (first stable with the canonical wc_MlDsaKey API): make test, comprehensive, scenarios, tool-test, demos, zeroize-test, and the C++ public-header compile check all pass
• CI version matrix auto-resolves the latest wolfSSL -stable (now 5.9.2) and enables the ML-DSA/PQC rows automatically

Release checklist

• Rebased on latest main c665f32 (carries Add RFC 9964 Support ML-DSA #49 ML-DSA, Fix RSA private COSE_Key: RFC 8230 dP/dQ + fixed-width d #50 RFC 8230 RSA, Fix lean verify-only build: ECC sign helpers leak into WOLFCOSE_LEAN_VERIFY #53 lean verify-only, Hardening Fixes and Secure Edges #55/Various hardening, fixes, and testing #56 hardening, Fix Coverity DEADCODE findings in COSE MAC and CBOR decode paths #58 Coverity, and Fenrir F-6137..F-6144)
• version.h = 1.0.0 / 0x01000000
• ChangeLog dated June 25, 2026 with the wolfSSL quality statement
• CI green against 5.9.2
• Merge, then tag v1.0.0