feat: SBOM generation and OmniBOR build provenance (CRA compliance)

Adds two complementary supply chain transparency targets to the
wolfSSL autotools build, and documentation covering both as a unified
whole.

## make sbom

Generates a Software Bill of Materials for EU Cyber Resilience Act
(CRA) compliance.  Produces three files in the build directory:

  wolfssl-<version>.cdx.json   CycloneDX 1.6 JSON
  wolfssl-<version>.spdx.json  SPDX 2.3 JSON
  wolfssl-<version>.spdx       SPDX 2.3 tag-value (validated)

The SPDX JSON is validated by pyspdxtools before the tag-value file
is written; make sbom fails if validation fails.

SBOM contents: package name/version, supplier, license (parsed from
LICENSING at generation time, not hardcoded), copyright, SHA-256 of
the installed library, CPE, PURL, download location, and build
configuration defines as a comment.  Third-party dependencies
(liboqs, libz, libxmss, liblms) are included when enabled.

Implementation: scripts/gen-sbom (Python 3, stdlib only) stages a
make install into a temporary directory, hashes the installed
library, generates both SBOM formats, then removes the staging
directory.  configure.ac detects python3, pyspdxtools, and git via
AC_PATH_PROG.

install-sbom / uninstall-sbom targets install the three files to
$(datadir)/doc/wolfssl/.  make clean removes all generated files.

## make bomsh

Generates an OmniBOR artifact dependency graph using the Bomsh
project (https://github.com/omnibor/bomsh), providing cryptographic
traceability from every built binary back to the exact set of source
files that produced it.

Runs a full clean rebuild under bomtrace3 (a patched strace, userspace
only — no kernel modifications required).  bomtrace3 intercepts every
compiler execve() syscall and records inputs and outputs; it cannot
post-process an already-built tree, hence the clean rebuild.
bomsh_create_bom.py processes the raw logfile to produce the OmniBOR
artifact objects and metadata in omnibor/.

If bomsh_sbom.py is available and wolfssl-<version>.spdx.json exists
(from make sbom), annotates that SPDX document with a PERSISTENT-ID
gitoid ExternalRef, producing omnibor.wolfssl-<version>.spdx.json.
This enriched SPDX bridges component identity and build provenance in
a single document.

configure.ac detects bomtrace3, bomsh_create_bom.py, and bomsh_sbom.py
via AC_PATH_PROG.  The raw logfile and conf file are written to the
build directory (not /tmp/) to avoid concurrent-build collisions, and
removed by make clean.

install-bomsh / uninstall-bomsh targets install omnibor/ and the
enriched SPDX to $(datadir)/doc/wolfssl/.

## Documentation

doc/SBOM.md: unified reference covering both make sbom and make bomsh
as parts of a single supply chain transparency story — component
identity (what) and build provenance (how) — with a combined workflow
section and full output file reference.

doc/CRA.md: product-integrator guide covering how to incorporate
wolfSSL's SBOM artefacts into a downstream product SBOM (SPDX
ExternalDocumentRef and CycloneDX component reference patterns),
commercial license concluded-field guidance, OmniBOR gitoid meaning,
auditor handoff checklist, and links to OpenSSF CRA and SBOM Everywhere
SIG guidance pages.

INSTALL: sections 21 (make sbom) and 22 (make bomsh).
README.md: brief SBOM/CRA and OmniBOR/Bomsh sections.
doc/include.am: SBOM.md and CRA.md added to dist_doc_DATA.

Author: MarkAtwood

INSTALL

@@ -322,3 +322,76 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl.
 
     Deprecated. wolfSSL now has its own XMMS/XMSS^MT implementation in
     wolfCrypt.
+
+21. Generating an SBOM (Software Bill of Materials)
+
+    wolfSSL can generate a Software Bill of Materials for EU Cyber Resilience
+    Act (CRA) compliance after a normal build and install.
+
+    Prerequisites:
+      - python3 (detected automatically by configure)
+      - pyspdxtools (pip install spdx-tools)
+
+    Usage:
+
+      $ ./configure
+      $ make
+      $ make sbom
+
+    This produces three files in the build directory:
+
+      wolfssl-<version>.cdx.json   CycloneDX 1.6 JSON
+      wolfssl-<version>.spdx.json  SPDX 2.3 JSON
+      wolfssl-<version>.spdx       SPDX 2.3 tag-value (validated by pyspdxtools)
+
+    The SPDX JSON is validated by pyspdxtools before the tag-value file is
+    written; make sbom fails if validation fails.
+
+    To install the SBOM files to $(datadir)/doc/wolfssl/:
+
+      $ make install-sbom
+
+    To remove installed SBOM files:
+
+      $ make uninstall-sbom
+
+    The generated files are removed by make clean.
+
+    For details on the SBOM contents and CRA context, see doc/SBOM.md.
+
+22. Generating OmniBOR build artifact graph (Bomsh)
+
+    wolfSSL supports generating an OmniBOR artifact dependency graph using
+    the Bomsh project (https://github.com/omnibor/bomsh).  OmniBOR provides
+    cryptographic traceability from every binary artifact back to the exact
+    source files that produced it.
+
+    Prerequisites:
+      - bomtrace3 (build from https://github.com/omnibor/bomsh)
+      - bomsh_create_bom.py (from the bomsh scripts/ directory, in PATH)
+      - bomsh_sbom.py (optional; from bomsh scripts/, for SPDX enrichment)
+
+    Both bomtrace3 and the Python scripts are detected by configure.
+    make bomsh fails with a clear error message if either required tool
+    is missing.
+
+    Usage:
+
+      $ ./configure
+      $ make
+      $ make bomsh
+
+    This performs a clean rebuild of wolfSSL under bomtrace3 tracing,
+    then produces an OmniBOR artifact graph in omnibor/ in the build
+    directory.  If bomsh_sbom.py is available and a wolfssl-<ver>.spdx.json
+    exists (from 'make sbom'), it also produces an OmniBOR-enriched SPDX
+    document omnibor.wolfssl-<ver>.spdx.json.
+
+    To install:
+
+      $ make install-bomsh   # installs omnibor/ to $(datadir)/doc/wolfssl/
+      $ make uninstall-bomsh # removes installed files
+
+    The generated files are removed by make clean.
+
+    See doc/SBOM.md for full details.

Makefile.am

@@ -350,3 +350,113 @@ merge-clean:
 
 .cu.lo:
 	$(LIBTOOL) --tag=CC --mode=compile $(COMPILE) --compile -o $@ $< -static
+
+# SBOM generation (CRA compliance)
+SBOM_CDX     = wolfssl-$(PACKAGE_VERSION).cdx.json
+SBOM_SPDX    = wolfssl-$(PACKAGE_VERSION).spdx.json
+SBOM_SPDX_TV = wolfssl-$(PACKAGE_VERSION).spdx
+sbomdir      = $(datadir)/doc/$(PACKAGE)
+
+.PHONY: sbom install-sbom uninstall-sbom
+
+sbom:
+	@if test -z "$(PYTHON3)"; then \
+	    echo ""; \
+	    echo "ERROR: 'python3' not found in PATH. Cannot generate SBOM."; \
+	    echo ""; \
+	    exit 1; \
+	fi
+	@if test -z "$(PYSPDXTOOLS)"; then \
+	    echo ""; \
+	    echo "ERROR: 'pyspdxtools' not found in PATH. Cannot validate SBOM."; \
+	    echo "       Install: pip install spdx-tools"; \
+	    echo ""; \
+	    exit 1; \
+	fi
+	rm -rf $(abs_builddir)/_sbom_staging
+	$(MAKE) install DESTDIR=$(abs_builddir)/_sbom_staging
+	$(PYTHON3) $(srcdir)/scripts/gen-sbom \
+	    --name $(PACKAGE) \
+	    --version $(PACKAGE_VERSION) \
+	    --license-file $(srcdir)/LICENSING \
+	    --options-h $(abs_builddir)/wolfssl/options.h \
+	    --lib $(abs_builddir)/_sbom_staging$(libdir)/libwolfssl.so.$(WOLFSSL_LIBRARY_VERSION_FIRST).$(WOLFSSL_LIBRARY_VERSION_SECOND).$(WOLFSSL_LIBRARY_VERSION_THIRD) \
+	    --dep-liboqs $(ENABLED_LIBOQS) \
+	    --dep-libxmss $(ENABLED_LIBXMSS) \
+	    --dep-libxmss-root '$(XMSS_ROOT)' \
+	    --dep-liblms $(ENABLED_LIBLMS) \
+	    --dep-liblms-root '$(LIBLMS_ROOT)' \
+	    --dep-libz $(ENABLED_LIBZ) \
+	    --git '$(GIT)' \
+	    --cdx-out $(abs_builddir)/$(SBOM_CDX) \
+	    --spdx-out $(abs_builddir)/$(SBOM_SPDX)
+	rm -rf $(abs_builddir)/_sbom_staging
+	$(PYSPDXTOOLS) --infile $(abs_builddir)/$(SBOM_SPDX) \
+	    --outfile $(abs_builddir)/$(SBOM_SPDX_TV)
+
+install-sbom: sbom
+	$(MKDIR_P) $(DESTDIR)$(sbomdir)
+	$(INSTALL_DATA) $(SBOM_CDX) $(DESTDIR)$(sbomdir)/
+	$(INSTALL_DATA) $(SBOM_SPDX) $(DESTDIR)$(sbomdir)/
+	$(INSTALL_DATA) $(SBOM_SPDX_TV) $(DESTDIR)$(sbomdir)/
+
+uninstall-sbom:
+	-rm -f $(DESTDIR)$(sbomdir)/$(SBOM_CDX)
+	-rm -f $(DESTDIR)$(sbomdir)/$(SBOM_SPDX)
+	-rm -f $(DESTDIR)$(sbomdir)/$(SBOM_SPDX_TV)
+
+CLEANFILES += $(SBOM_CDX) $(SBOM_SPDX) $(SBOM_SPDX_TV)
+
+# Bomsh (OmniBOR build artifact tracing + SBOM enrichment)
+BOMSH_RAWLOG_BASE = $(abs_builddir)/bomsh_raw_logfile
+BOMSH_RAWLOG      = $(BOMSH_RAWLOG_BASE).sha1
+BOMSH_CONF        = $(abs_builddir)/_bomsh.conf
+BOMSH_OMNIBORDIR  = $(abs_builddir)/omnibor
+BOMSH_SPDX_OUT    = omnibor.wolfssl-$(PACKAGE_VERSION).spdx.json
+bomshdir          = $(datadir)/doc/$(PACKAGE)
+
+.PHONY: bomsh install-bomsh uninstall-bomsh
+
+bomsh:
+	@if test -z "$(BOMTRACE3)"; then \
+	    echo ""; \
+	    echo "ERROR: 'bomtrace3' not found in PATH. Cannot generate OmniBOR data."; \
+	    echo "       Build bomtrace3 from: https://github.com/omnibor/bomsh"; \
+	    echo ""; \
+	    exit 1; \
+	fi
+	@if test -z "$(BOMSH_CREATE_BOM)"; then \
+	    echo ""; \
+	    echo "ERROR: 'bomsh_create_bom.py' not found in PATH. Cannot process OmniBOR data."; \
+	    echo "       Install from: https://github.com/omnibor/bomsh"; \
+	    echo ""; \
+	    exit 1; \
+	fi
+	$(MAKE) clean
+	@printf 'raw_logfile=%s\n' '$(BOMSH_RAWLOG_BASE)' > '$(BOMSH_CONF)'
+	$(BOMTRACE3) -c '$(BOMSH_CONF)' $(MAKE)
+	$(BOMSH_CREATE_BOM) -r '$(BOMSH_RAWLOG)' -b '$(BOMSH_OMNIBORDIR)'
+	@if test -n "$(BOMSH_SBOM)" && test -f '$(abs_builddir)/wolfssl-$(PACKAGE_VERSION).spdx.json'; then \
+	    echo "Enriching SPDX with OmniBOR ExternalRefs..."; \
+	    $(BOMSH_SBOM) \
+	        -b '$(BOMSH_OMNIBORDIR)' \
+	        -i '$(abs_builddir)/wolfssl-$(PACKAGE_VERSION).spdx.json' \
+	        -f '$(abs_builddir)/src/.libs/libwolfssl.so.$(WOLFSSL_LIBRARY_VERSION_FIRST).$(WOLFSSL_LIBRARY_VERSION_SECOND).$(WOLFSSL_LIBRARY_VERSION_THIRD)' \
+	        -s spdx-json \
+	        -O '$(abs_builddir)'; \
+	elif test -n "$(BOMSH_SBOM)"; then \
+	    echo "NOTE: run 'make sbom' first, then 'make bomsh' for OmniBOR-enriched SPDX."; \
+	fi
+
+install-bomsh: bomsh
+	$(MKDIR_P) $(DESTDIR)$(bomshdir)
+	cp -r '$(BOMSH_OMNIBORDIR)' '$(DESTDIR)$(bomshdir)/omnibor'
+	@if test -f '$(abs_builddir)/$(BOMSH_SPDX_OUT)'; then \
+	    $(INSTALL_DATA) '$(abs_builddir)/$(BOMSH_SPDX_OUT)' '$(DESTDIR)$(bomshdir)/'; \
+	fi
+
+uninstall-bomsh:
+	-rm -rf '$(DESTDIR)$(bomshdir)/omnibor'
+	-rm -f '$(DESTDIR)$(bomshdir)/$(BOMSH_SPDX_OUT)'
+
+CLEANFILES += $(BOMSH_RAWLOG) $(BOMSH_RAWLOG_BASE).sha256 $(BOMSH_CONF) $(BOMSH_SPDX_OUT)

README.md

@@ -30,6 +30,18 @@ applications which have previously used the OpenSSL package. For a complete
 feature list, see [Chapter 4](https://www.wolfssl.com/docs/wolfssl-manual/ch4/)
 of the wolfSSL manual.
 
+## SBOM / CRA Compliance
+
+wolfSSL provides a Software Bill of Materials (SBOM) for EU Cyber Resilience
+Act (CRA) compliance via `make sbom`. See `doc/SBOM.md` for details.
+
+## OmniBOR / Bomsh
+
+wolfSSL supports generating an OmniBOR artifact dependency graph via
+`make bomsh`, providing cryptographic traceability from the installed
+library back to every source file that produced it. See `doc/SBOM.md`
+for details.
+
 ## Notes, Please Read
 
 ### Note 1

configure.ac

@@ -1989,6 +1989,7 @@ done
 # liblms
 # Get the path to the hash-sigs LMS HSS lib.
 ENABLED_LIBLMS="no"
+LIBLMS_ROOT=""
 tryliblmsdir=""
 AC_ARG_WITH([liblms],
     [AS_HELP_STRING([--with-liblms=PATH],[PATH to hash-sigs LMS/HSS install (default /usr/local) (requires --enable-experimental)!])],
@@ -2051,6 +2052,7 @@ AC_ARG_WITH([liblms],
 
         AM_CFLAGS="$AM_CFLAGS -DHAVE_LIBLMS"
         ENABLED_LIBLMS="yes"
+        LIBLMS_ROOT=$tryliblmsdir
     ]
 )
 
@@ -11756,6 +11758,21 @@ AC_SUBST([WOLFSSL_PREFIX_ABS])
 AC_SUBST([WOLFSSL_LIBDIR_ABS])
 AC_SUBST([WOLFSSL_INCLUDEDIR_ABS])
 
+# SBOM generation
+AC_PATH_PROG([PYTHON3], [python3])
+AC_PATH_PROG([PYSPDXTOOLS], [pyspdxtools])
+AC_PATH_PROG([GIT], [git])
+AC_SUBST([ENABLED_LIBOQS])
+AC_SUBST([ENABLED_LIBXMSS])
+AC_SUBST([ENABLED_LIBLMS])
+AC_SUBST([ENABLED_LIBZ])
+AC_SUBST([LIBLMS_ROOT])
+
+# Bomsh (OmniBOR build artifact tracing + SBOM enrichment)
+AC_PATH_PROG([BOMTRACE3], [bomtrace3])
+AC_PATH_PROG([BOMSH_CREATE_BOM], [bomsh_create_bom.py])
+AC_PATH_PROG([BOMSH_SBOM], [bomsh_sbom.py])
+
 # FINAL
 AC_CONFIG_FILES([stamp-h], [echo timestamp > stamp-h])
 AC_CONFIG_FILES([Makefile