From d042f8005ec59982b991b84e9d17cdab839a8e5e Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 7 Apr 2026 16:22:27 -0600
Subject: [PATCH 1/3] spelling fix

---
 docs/src/chapter07.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/src/chapter07.md b/docs/src/chapter07.md
index 276e5a3ea..bf22477e1 100644
--- a/docs/src/chapter07.md
+++ b/docs/src/chapter07.md
@@ -248,14 +248,14 @@ The data payload is a fixed size data buffer that the client can use in any way
 ```c
 /* request message to the custom server callback */
 typedef struct {
-    uint32_t               id;   /* indentifier of registered callback  */
+    uint32_t               id;   /* identifier of registered callback  */
     uint32_t               type; /* whMessageCustomCb_Type */
     whMessageCustomCb_Data data;
 } whMessageCustomCb_Request;
 
 /* response message from the custom server callback */
 typedef struct {
-    uint32_t id;   /* indentifier of registered callback  */
+    uint32_t id;   /* identifier of registered callback  */
     uint32_t type; /* whMessageCustomCb_Type */
     int32_t  rc;   /* Return code from custom callback. Invalid if err != 0 */
     int32_t  err;  /* wolfHSM-specific error. If err != 0, rc is invalid */

From 46587b6626f2ae7551a9249a7524087cafa4eef1 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 7 Apr 2026 17:07:44 -0600
Subject: [PATCH 2/3] use an actual hash digest with demo ecc sign/verify

---
 examples/demo/client/wh_demo_client_crypto.c | 28 +++++++++++---------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/examples/demo/client/wh_demo_client_crypto.c b/examples/demo/client/wh_demo_client_crypto.c
index 9eae0aa13..f7844a435 100644
--- a/examples/demo/client/wh_demo_client_crypto.c
+++ b/examples/demo/client/wh_demo_client_crypto.c
@@ -494,14 +494,16 @@ int wh_DemoClient_CryptoEcc(whClientContext* clientContext)
     WC_RNG     rng[1];
     byte       sharedOne[32];
     byte       sharedTwo[32];
-    const char plainMessage[16] = "message example";
-    byte       message[sizeof(plainMessage)];
+    /* Pre-computed SHA-256 digest of "message example" */
+    /* Canned SHA-256 digest to use for sign/verify demo */
+    byte message[32] = {
+        0x48, 0x0E, 0x66, 0x2E, 0x59, 0x0A, 0x79, 0x6E,
+        0xE5, 0x00, 0xE1, 0xA0, 0xB7, 0xE1, 0x2C, 0x4E,
+        0xD0, 0x39, 0x1D, 0x67, 0x56, 0x2F, 0x6E, 0xE0,
+        0x48, 0x9C, 0x00, 0xB9, 0xA9, 0x37, 0x21, 0x00
+    };
     byte       signature[128];
 
-    /* Set the message to the test string */
-    strncpy((char*)message, plainMessage, sizeof(message)-1);
-    message[sizeof(message)-1] = '\0';
-
     /* Initialize the rng to make the ecc keys */
     ret = wc_InitRng_ex(rng, NULL, WH_DEV_ID);
     if (ret != 0) {
@@ -624,15 +626,17 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext)
     WC_RNG     rng[1];
     byte       sharedOne[32];
     byte       sharedTwo[32];
-    const char plainMessage[16] = "message example";
-    byte       message[sizeof(plainMessage)];
+    /* Pre-computed SHA-256 digest of "message example" */
+    /* Canned SHA-256 digest to use for sign/verify demo */
+    byte message[32] = {
+        0x48, 0x0E, 0x66, 0x2E, 0x59, 0x0A, 0x79, 0x6E,
+        0xE5, 0x00, 0xE1, 0xA0, 0xB7, 0xE1, 0x2C, 0x4E,
+        0xD0, 0x39, 0x1D, 0x67, 0x56, 0x2F, 0x6E, 0xE0,
+        0x48, 0x9C, 0x00, 0xB9, 0xA9, 0x37, 0x21, 0x00
+    };
     byte       signature[128];
     uint8_t    keyBuf[256];
 
-    /* Set the message to the test string */
-    strncpy((char*)message, plainMessage, sizeof(message)-1);
-    message[sizeof(message)-1] = '\0';
-
     /* Initialize the rng for signature signing */
     ret = wc_InitRng_ex(rng, NULL, WH_DEV_ID);
     if (ret != 0) {

From 325d76df7b92869c62f09b309fddd0252a65c5ca Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 7 Apr 2026 18:40:57 -0600
Subject: [PATCH 3/3] check for sig oid error along with sig confirm error

---
 src/wh_server_cert.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/wh_server_cert.c b/src/wh_server_cert.c
index 06d1a211e..eefa2f5b4 100644
--- a/src/wh_server_cert.c
+++ b/src/wh_server_cert.c
@@ -746,10 +746,10 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
                 (void)WH_SERVER_NVM_UNLOCK(server);
             } /* WH_SERVER_NVM_LOCK() */
 
-            /* Signature confirmation error is not an error for the server, so
+            /* Signature verification error is not an error for the server, so
              * propagate this error to the client in the response, otherwise
              * return the error code from the verify action */
-            if (rc == ASN_SIG_CONFIRM_E) {
+            if (rc == ASN_SIG_CONFIRM_E || rc == ASN_SIG_OID_E) {
                 resp.rc = WH_ERROR_CERT_VERIFY;
                 rc      = WH_ERROR_OK;
             }
@@ -794,10 +794,10 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
                     (void)WH_SERVER_NVM_UNLOCK(server);
                 } /* WH_SERVER_NVM_LOCK() */
 
-                /* Signature confirmation error is not an error for the server,
+                /* Signature verification error is not an error for the server,
                  * so propagate this error to the client in the response,
                  * otherwise return the error code from the verify action */
-                if (rc == ASN_SIG_CONFIRM_E) {
+                if (rc == ASN_SIG_CONFIRM_E || rc == ASN_SIG_OID_E) {
                     resp.rc = WH_ERROR_CERT_VERIFY;
                     rc      = WH_ERROR_OK;
                 }