wolfSSL · MarkAtwood · Jun 23, 2026 · Jun 24, 2026
diff --git a/Makefile.am b/Makefile.am
@@ -47,3 +47,51 @@ AM_DISTCHECK_CONFIGURE_FLAGS=CPPFLAGS="-I@abs_top_srcdir@/include" --with-openss
 EXTRA_DIST += README.md \
               engine.conf \
               ChangeLog.md
+
+# ---------------------------------------------------------------------------
+# SBOM generation (CycloneDX + SPDX) via wolfssl's scripts/gen-sbom
+# ---------------------------------------------------------------------------
+# Requires WOLFSSL_DIR to point at a wolfssl checkout (for scripts/gen-sbom).
+# wolfEngine has no generated options.h of its own; feature flags come from the
+# installed wolfssl. WOLFSSL_INCLUDEDIR defaults to $(WOLFSSL_DIR)/include but
+# can be overridden if wolfssl's headers live elsewhere.
+WOLFSSL_DIR ?=
+WOLFSSL_INCLUDEDIR ?= $(WOLFSSL_DIR)/include
+PRODUCT      = wolfengine
+VERSION      = $(shell grep -m1 'AC_INIT' $(srcdir)/configure.ac | sed "s/.*\[//;s/\].*//")
+GEN_SBOM     = $(WOLFSSL_DIR)/scripts/gen-sbom
+
+SBOM_OUT_DIR = $(builddir)
+SBOM_CDX     = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).cdx.json
+SBOM_SPDX_J  = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).spdx.json
+SBOM_SPDX_TV = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).spdx
+
+.PHONY: sbom install-sbom uninstall-sbom
+
+sbom: all
+	@if test -z "$(WOLFSSL_DIR)"; then \
+	    echo "ERROR: WOLFSSL_DIR not set. Usage: make sbom WOLFSSL_DIR=/path/to/wolfssl"; \
+	    exit 1; \
+	fi
+	@if test -z "$(PYTHON3)"; then \
+	    echo "ERROR: python3 not found in PATH."; exit 1; fi
+	$(MAKE) install DESTDIR=$(abs_builddir)/_sbom_stage
+	$(PYTHON3) $(GEN_SBOM) \
+	    --name $(PRODUCT) \
+	    --version $(VERSION) \
+	    --supplier "wolfSSL Inc." \
+	    --options-h $(WOLFSSL_INCLUDEDIR)/wolfssl/options.h \
+	    --lib `find $(abs_builddir)/_sbom_stage$(libdir) -name 'libwolfengine.so.*.*.*' | head -1`
+	rm -rf $(abs_builddir)/_sbom_stage
+
+install-sbom: sbom
+	$(MKDIR_P) $(DESTDIR)$(datadir)/doc/$(PRODUCT)
+	$(INSTALL_DATA) $(SBOM_CDX) $(SBOM_SPDX_J) $(SBOM_SPDX_TV) \
+	    $(DESTDIR)$(datadir)/doc/$(PRODUCT)/
+
+uninstall-sbom:
+	-rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.cdx.json
+	-rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.spdx.json
+	-rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.spdx
+
+uninstall-hook: uninstall-sbom
diff --git a/README.md b/README.md
@@ -189,6 +189,34 @@ Visual Studio.
 
 Example programs using wolfEngine can be found in the `examples/` subdirectory.
 
+## SBOM / EU CRA Compliance
+
+wolfEngine generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and
+SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA).
+
+```sh
+make sbom WOLFSSL_DIR=/path/to/wolfssl
+```
+
+Requires `python3` and `pyspdxtools` (`pip install spdx-tools`). `WOLFSSL_DIR`
+must point to a wolfssl source tree containing `scripts/gen-sbom` (branch
+`feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges).
+
+Output files in the build directory:
+
+| File | Format |
+|------|--------|
+| `wolfengine-1.4.0.cdx.json` | CycloneDX 1.6 |
+| `wolfengine-1.4.0.spdx.json` | SPDX 2.3 JSON |
+| `wolfengine-1.4.0.spdx` | SPDX 2.3 tag-value |
+
+```sh
+make install-sbom    # installs to $(datadir)/doc/wolfengine/
+make uninstall-sbom
+```
+
+For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md).
+
 ## Need Help?
 
 Please reach out to support@wolfssl.com for technical support. If you're

diff --git a/configure.ac b/configure.ac
@@ -721,6 +721,10 @@ AC_SUBST([AM_CPPFLAGS])
 AC_SUBST([AM_CFLAGS])
 AC_SUBST([AM_LDFLAGS])
 
+# SBOM generation tools
+AC_CHECK_PROG([PYTHON3], [python3], [python3])
+AC_CHECK_PROG([PYSPDXTOOLS], [pyspdxtools], [pyspdxtools])
+
 AC_CONFIG_FILES([Makefile
        rpm/spec])
 AC_OUTPUT