cra-kit: address Atwood round-2 review (regulatory accuracy + robustness)

Correct CRA references: default category (not "Class I") in classification
docs, and the Art. 14(2)(c) final-report clock (14 days after a fix is
available). Make _embedded_srcs word-split POSIX-safe, use mktemp for the
defines temp file, zero-out the OmniBOR sample binary hash, drop a stray
[DATE TO BE CONFIRMED] placeholder, qualify the product SPDX supplier,
rename auditor-packet README for GitHub, and harden CI (least-privilege
permissions + SHA-pinned actions).

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

Author: sameehj

.github/workflows/cra-kit.yml

@@ -10,12 +10,17 @@ on:
       - 'cra-kit/**'
       - '.github/workflows/cra-kit.yml'
 
+# Least-privilege default; this workflow only needs to read the repo contents.
+permissions:
+  contents: read
+
 jobs:
   validate-auditor-packet:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      # Actions pinned to commit SHAs (supply-chain hygiene), not mutable tags.
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.x'
       - name: Validate pinned auditor packet

…/auditor-packet/README-auditor-packet.md cra-kit/auditor-packet/README.mdcra-kit/auditor-packet/README-auditor-packet.md renamed to cra-kit/auditor-packet/README.md cra-kit/auditor-packet/README-auditor-packet.md renamed to cra-kit/auditor-packet/README.md

@@ -25,7 +25,7 @@
       "SPDXID": "SPDXRef-Package-Product",
       "name": "acme-connect-gateway",
       "versionInfo": "1.0.0",
-      "supplier": "Organization: Acme Industries",
+      "supplier": "Organization: Acme Industries (fictional example)",
       "downloadLocation": "NOASSERTION",
       "filesAnalyzed": false
     }

cra-kit/auditor-packet/product-acme-connect-gateway.spdx.json

@@ -28,10 +28,10 @@
         },
         {
           "algorithm": "SHA256",
-          "checksumValue": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+          "checksumValue": "0000000000000000000000000000000000000000000000000000000000000000"
         }
       ],
-      "comment": "OmniBOR identifier for the linked binary: gitoid:blob:sha1:0000000000000000000000000000000000000001 — sample placeholder. Real builds emit the actual gitoid covering all .o inputs."
+      "comment": "SENTINEL VALUES — both the SHA-1 gitoid and the SHA-256 here are all-zero placeholders, NOT real digests. A compiled .so cannot share the source archive's hash, so this sample deliberately avoids any real-looking value a customer might copy. Real builds emit the actual binary digests and the gitoid covering all .o inputs."
     }
   ],
   "files": [

cra-kit/auditor-packet/wolfssl-component/omnibor.wolfssl-5.9.1.spdx.json.sample

@@ -88,8 +88,16 @@ _run_embedded() {
         exit 1
     fi
 
-    # shellcheck disable=SC2046
-    set -- $( _embedded_srcs )
+    # Build the positional list of source files newline-safely so paths that
+    # contain spaces survive (POSIX sh has no arrays; unquoted command
+    # substitution would word-split and corrupt such paths).
+    set --
+    while IFS= read -r _src; do
+        [ -n "$_src" ] || continue
+        set -- "$@" "$_src"
+    done <<EOF
+$(_embedded_srcs)
+EOF
 
     # Optional commercial license override (LicenseRef-wolfSSL-Commercial etc).
     set -- "$@" --cdx-out "$CDX_OUT" --spdx-out "$SPDX_OUT"
@@ -116,9 +124,14 @@ _run_embedded() {
     echo "      Cross builds: set CC=arm-none-eabi-gcc (or your target compiler) so the"
     echo "      fallback reflects target macros, not the host's."
 
-    DEFINES_H="$OUT_DIR/.wolfssl-defines-$$.h"
+    # Use mktemp so the temp filename is unpredictable: a fixed PID-based name in
+    # a shared/CI directory could be pre-created or raced by another job.
+    DEFINES_H=$(mktemp "${TMPDIR:-/tmp}/wolfssl-defines.XXXXXX") || {
+        echo "ERROR: mktemp failed for the defines temp file." >&2
+        exit 1
+    }
     # Clean up the temp defines file on every exit path, including a failing
-    # generator run (it previously leaked the dotfile under `set -e` if the
+    # generator run (it previously leaked the file under `set -e` if the
     # final gen-sbom invocation failed before the manual `rm -f`).
     trap 'rm -f "$DEFINES_H"' EXIT
     CC=${CC:-cc}

cra-kit/scripts/generate-wolfssl-sbom.sh

@@ -2,7 +2,7 @@
 
 | File | CRA reference | Status |
 |------|---------------|--------|
-| [`classification-statement.md`](classification-statement.md) | Annex III / IV | ✅ Decided — Class I (default), self-certification |
+| [`classification-statement.md`](classification-statement.md) | Annex III / IV | ✅ Decided — default category (not Annex III/IV), self-certification |
 | [`conformity-assessment-route.md`](conformity-assessment-route.md) | Art. 32, Annex VIII | ✅ Module A self-assessment |
 | [`declaration-of-conformity.template.md`](declaration-of-conformity.template.md) | Art. 28 | 🟡 Template ready; signature pending product release alignment |
 | [`eu-authorised-representative.md`](eu-authorised-representative.md) | Art. 18 | 🟠 In progress — appointment underway |

cra-kit/wolfssl-inc-auditor-packet/00-INDEX.md

@@ -5,8 +5,9 @@
 
 ## Decision
 
-wolfSSL Inc. classifies the following products as **default class** ("Class I")
-for CRA purposes:
+wolfSSL Inc. classifies the following products as **default category** — neither
+Annex III "important" (class I / class II) nor Annex IV "critical" — for CRA
+purposes:
 
 | Product | Classification | Rationale |
 |---------|----------------|-----------|

cra-kit/wolfssl-inc-auditor-packet/classification-statement.md

@@ -30,9 +30,9 @@ point of contact in the EU.
    Casa Group) offer AR-as-a-service across CE-marking regulations. Cost is
    typically EUR 1500–4000/year per regulation; lead time 4–6 weeks.
 
-The internal call was made by wolfSSL leadership in [DATE TO BE CONFIRMED]. The
-written mandate will be in place before 11 Sep 2026 (Art. 14 vulnerability
-reporting onset) and certainly before 11 Dec 2027 (full CRA applicability).
+The internal decision is being finalised by wolfSSL leadership. The written
+mandate will be in place before 11 Sep 2026 (Art. 14 vulnerability reporting
+onset) and certainly before 11 Dec 2027 (full CRA applicability).
 
 ## Placeholder identity
 

cra-kit/wolfssl-inc-auditor-packet/eu-authorised-representative.md

@@ -58,9 +58,9 @@
 |-------|--------|-------|
 | Acknowledgement of receipt | **24 hours** | From any channel listed in `security.txt`. Pending public approval to commit. |
 | Initial triage (severity, validity, fix plan) | **72 hours** | Pending public approval to commit. |
-| ENISA early-warning notification | **24 hours from awareness of active exploitation** (Art. 14(1)) | Hard regulatory deadline — not negotiable. |
-| ENISA follow-up report | **72 hours from awareness** (Art. 14(2)) | Hard regulatory deadline. |
-| ENISA final report | **14 days from CSIRT notification of CVE-published or vendor-published advisory** (Art. 14(3)) | Hard regulatory deadline. |
+| ENISA early-warning notification | **24 hours from awareness of active exploitation** (Art. 14(2)(a)) | Hard regulatory deadline — not negotiable. |
+| ENISA follow-up report | **72 hours from awareness** (Art. 14(2)(b)) | Hard regulatory deadline. |
+| ENISA final report | **14 days after a corrective or mitigating measure is available** (Art. 14(2)(c)) | Hard regulatory deadline. Clock runs from fix-availability, **not** from awareness or CVE publication. |
 | Coordinated public disclosure | Typically 90 days from triage; case-by-case | Negotiable with reporter. |
 
 These targets are not yet publicly committed in the CVD policy. Once the