From 8802d1287a0bdef14959c47eceb2e3d0e35b8f84 Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Mon, 9 Feb 2026 12:16:51 -0700
Subject: [PATCH] JNI/JCE: wrap wolfIO_SetTimeout(), add wolfjce.ioTimeout
 system property

---
 README_JCE.md                                 |  15 ++
 jni/include/com_wolfssl_wolfcrypt_WolfCrypt.h |  18 ++
 jni/jni_wolfcrypt.c                           |  29 ++
 .../jce/WolfCryptPKIXRevocationChecker.java   |  83 ++++++
 .../java/com/wolfssl/wolfcrypt/WolfCrypt.java |  46 ++++
 .../WolfCryptPKIXRevocationCheckerTest.java   |  70 +++++
 .../test/WolfCryptProviderIOTimeoutTest.java  | 253 ++++++++++++++++++
 .../provider/jce/test/WolfJCETestSuite.java   |   3 +-
 .../wolfssl/wolfcrypt/test/WolfCryptTest.java |  96 +++++++
 9 files changed, 612 insertions(+), 1 deletion(-)
 create mode 100644 src/test/java/com/wolfssl/provider/jce/test/WolfCryptProviderIOTimeoutTest.java

diff --git a/README_JCE.md b/README_JCE.md
index 76bc5d51..03b14300 100644
--- a/README_JCE.md
+++ b/README_JCE.md
@@ -107,6 +107,21 @@ programatically for JCE provider customization:
 | System Property | Default | To Enable | Description |
 | --- | --- | --- | --- |
 | wolfjce.debug | "false" | "true" | Enable wolfJCE debug logging |
+| wolfjce.ioTimeout | UNSET | Integer (seconds) | I/O timeout for OCSP and CRL HTTP operations (0-3600) |
+
+**wolfjce.ioTimeout** - sets the I/O timeout (in seconds) used by native wolfSSL
+for HTTP-based OCSP lookups and CRL fetching. Wraps native `wolfIO_SetTimeout()`.
+Requires native wolfSSL to be compiled with `HAVE_IO_TIMEOUT`. Valid values are
+0 to 3600 inclusive (1 hour). A value of 0 disables the timeout (default
+behavior). If the property is not set, no timeout is applied. This
+property is read during `PKIXRevocationChecker.init()`, which occurs at
+certificate path validation time. This means the property can be set or changed
+after provider registration and will be picked up on the next validation.
+Invalid values (non-numeric, negative, exceeding 3600) will cause revocation
+checker initialization to fail with `CertPathValidatorException`. This property
+replaces the Sun-specific `com.sun.security.ocsp.timeout` and
+`com.sun.security.crl.timeout` properties (which use milliseconds) with a single
+wolfJCE-specific property in seconds that applies to both OCSP and CRL operations.
 
 ### Algorithm Support:
 ---------
diff --git a/jni/include/com_wolfssl_wolfcrypt_WolfCrypt.h b/jni/include/com_wolfssl_wolfcrypt_WolfCrypt.h
index 8a8f2faa..4842edb0 100644
--- a/jni/include/com_wolfssl_wolfcrypt_WolfCrypt.h
+++ b/jni/include/com_wolfssl_wolfcrypt_WolfCrypt.h
@@ -29,6 +29,8 @@ extern "C" {
 #define com_wolfssl_wolfcrypt_WolfCrypt_SIZE_OF_1024_BITS 128L
 #undef com_wolfssl_wolfcrypt_WolfCrypt_SIZE_OF_2048_BITS
 #define com_wolfssl_wolfcrypt_WolfCrypt_SIZE_OF_2048_BITS 256L
+#undef com_wolfssl_wolfcrypt_WolfCrypt_MAX_IO_TIMEOUT_SEC
+#define com_wolfssl_wolfcrypt_WolfCrypt_MAX_IO_TIMEOUT_SEC 3600L
 /*
  * Class:     com_wolfssl_wolfcrypt_WolfCrypt
  * Method:    getWC_HASH_TYPE_NONE
@@ -181,6 +183,14 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_wcCertPemToDer
 JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_wcPubKeyPemToDer
   (JNIEnv *, jclass, jbyteArray);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_WolfCrypt
+ * Method:    nativeSetIOTimeout
+ * Signature: (I)V
+ */
+JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_nativeSetIOTimeout
+  (JNIEnv *, jclass, jint);
+
 /*
  * Class:     com_wolfssl_wolfcrypt_WolfCrypt
  * Method:    CrlEnabled
@@ -205,6 +215,14 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_OcspEnabled
 JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_Base16Enabled
   (JNIEnv *, jclass);
 
+/*
+ * Class:     com_wolfssl_wolfcrypt_WolfCrypt
+ * Method:    IoTimeoutEnabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_IoTimeoutEnabled
+  (JNIEnv *, jclass);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/jni/jni_wolfcrypt.c b/jni/jni_wolfcrypt.c
index 813038a1..51d9d974 100644
--- a/jni/jni_wolfcrypt.c
+++ b/jni/jni_wolfcrypt.c
@@ -32,6 +32,8 @@
 #include <wolfssl/wolfcrypt/coding.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/ssl.h>
+#include <wolfssl/wolfio.h>
 #include <com_wolfssl_wolfcrypt_WolfCrypt.h>
 #include <wolfcrypt_jni_error.h>
 
@@ -612,3 +614,30 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_wcPubKeyPemToD
 #endif /* !NO_ASN && !WOLFSSL_NO_PEM && !NO_CODING) */
 }
 
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_IoTimeoutEnabled
+  (JNIEnv* env, jclass jcl)
+{
+    (void)env;
+    (void)jcl;
+
+#ifdef HAVE_IO_TIMEOUT
+    return JNI_TRUE;
+#else
+    return JNI_FALSE;
+#endif
+}
+
+JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_WolfCrypt_nativeSetIOTimeout
+  (JNIEnv* env, jclass jcl, jint timeoutSec)
+{
+    (void)jcl;
+
+#ifdef HAVE_IO_TIMEOUT
+    wolfIO_SetTimeout(timeoutSec);
+    (void)env;
+#else
+    (void)timeoutSec;
+    throwNotCompiledInException(env);
+#endif
+}
+
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXRevocationChecker.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXRevocationChecker.java
index 92056480..96013260 100644
--- a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXRevocationChecker.java
+++ b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXRevocationChecker.java
@@ -80,6 +80,14 @@ public class WolfCryptPKIXRevocationChecker extends PKIXRevocationChecker {
     /* Trust anchors for determining if issuer is a trust anchor */
     private Set<TrustAnchor> trustAnchors;
 
+    /* Last applied I/O timeout value from wolfjce.ioTimeout property.
+     * Used to skip redundant JNI calls when multiple checkers or
+     * repeated init() calls read the same property value. wolfIO_SetTimeout()
+     * sets a global value, so all checkers in the JVM share the same timeout.
+     * Integer.MIN_VALUE indicates no timeout has been applied yet. */
+    private static volatile int lastAppliedIOTimeout =
+        Integer.MIN_VALUE;
+
     /**
      * Create new WolfCryptPKIXRevocationChecker.
      */
@@ -147,6 +155,10 @@ public void init(boolean forward) throws CertPathValidatorException {
         this.initialized = true;
         this.softFailExceptions.clear();
 
+        /* Set wolfSSL I/O timeout for HTTP-based operations (OCSP lookups,
+         * CRL fetching) if 'wolfjce.ioTimeout' System property is set. */
+        setIOTimeoutFromProperty();
+
         /* Verify we have OCSP support if needed */
         if (!options.contains(Option.PREFER_CRLS)) {
             if (!WolfCrypt.OcspEnabled()) {
@@ -591,6 +603,77 @@ public List<CertPathValidatorException> getSoftFailExceptions() {
         return Collections.unmodifiableList(this.softFailExceptions);
     }
 
+    /**
+     * Read and apply wolfjce.ioTimeout system property.
+     *
+     * Sets the native wolfSSL I/O timeout via wolfIO_SetTimeout()
+     * if the property is set and valid. If the property is set but
+     * contains an invalid value, throws CertPathValidatorException
+     * to fail revocation checker initialization.
+     *
+     * Note: The native timeout is a global (process-wide) setting
+     * shared by all threads and validations in the JVM. To reduce
+     * redundant JNI calls, the parsed value is compared against
+     * the last applied value and the native call is skipped if
+     * unchanged.
+     *
+     * @throws CertPathValidatorException if property value is
+     *         invalid (not a number, negative, exceeds max, or
+     *         HAVE_IO_TIMEOUT not compiled in)
+     */
+    private void setIOTimeoutFromProperty() throws CertPathValidatorException {
+
+        int timeoutSec;
+        String ioTimeout;
+
+        try {
+            ioTimeout = System.getProperty("wolfjce.ioTimeout");
+        } catch (SecurityException e) {
+            /* SecurityManager blocked property access, treat as
+             * property not set and continue without timeout */
+            return;
+        }
+
+        if (ioTimeout == null) {
+            return;
+        }
+        final String trimmed = ioTimeout.trim();
+        if (trimmed.isEmpty()) {
+            return;
+        }
+
+        try {
+            timeoutSec = Integer.parseInt(trimmed);
+
+            /* Skip JNI call if value unchanged from last apply */
+            if (timeoutSec != lastAppliedIOTimeout) {
+                WolfCrypt.setIOTimeout(timeoutSec);
+                lastAppliedIOTimeout = timeoutSec;
+
+                WolfCryptDebug.log(
+                    WolfCryptPKIXRevocationChecker.class,
+                    WolfCryptDebug.INFO,
+                    () -> "wolfjce.ioTimeout set to " +
+                    trimmed + " seconds");
+            }
+
+        } catch (NumberFormatException e) {
+            throw new CertPathValidatorException(
+                "Invalid wolfjce.ioTimeout value: " + trimmed +
+                ", must be integer seconds: " + e.getMessage(), e);
+
+        } catch (IllegalArgumentException e) {
+            throw new CertPathValidatorException(
+                "Invalid wolfjce.ioTimeout value: " + trimmed +
+                ": " + e.getMessage(), e);
+
+        } catch (WolfCryptException e) {
+            throw new CertPathValidatorException(
+                "wolfjce.ioTimeout set but native wolfSSL not " +
+                "compiled with HAVE_IO_TIMEOUT: " + e.getMessage(), e);
+        }
+    }
+
     /**
      * Clone this revocation checker.
      *
diff --git a/src/main/java/com/wolfssl/wolfcrypt/WolfCrypt.java b/src/main/java/com/wolfssl/wolfcrypt/WolfCrypt.java
index f1600e68..a5219adf 100644
--- a/src/main/java/com/wolfssl/wolfcrypt/WolfCrypt.java
+++ b/src/main/java/com/wolfssl/wolfcrypt/WolfCrypt.java
@@ -134,6 +134,7 @@ public class WolfCrypt extends WolfObject {
     private static native byte[] wcKeyPemToDer(byte[] pem, String password);
     private static native byte[] wcCertPemToDer(byte[] pem);
     private static native byte[] wcPubKeyPemToDer(byte[] pem);
+    private static native void nativeSetIOTimeout(int timeoutSec);
 
     /* Public mappings of some SSL/TLS level enums/defines */
     /** wolfSSL file type: PEM */
@@ -192,6 +193,51 @@ public class WolfCrypt extends WolfObject {
      */
     public static native boolean Base16Enabled();
 
+    /**
+     * Tests if I/O timeout (HAVE_IO_TIMEOUT) has been enabled in wolfSSL.
+     *
+     * @return true if enabled, otherwise false if not compiled in
+     */
+    public static native boolean IoTimeoutEnabled();
+
+    /** Maximum allowed I/O timeout value in seconds (1 hour) */
+    private static final int MAX_IO_TIMEOUT_SEC = 3600;
+
+    /**
+     * Set the I/O timeout used by native wolfSSL for HTTP-based operations
+     * including OCSP lookups and CRL fetching.
+     *
+     * Wraps native wolfIO_SetTimeout(). Requires native wolfSSL to be
+     * compiled with HAVE_IO_TIMEOUT.
+     *
+     * This sets a global (library-wide) timeout value in native
+     * wolfSSL. All threads and certificate validations in the same
+     * JVM share this single timeout setting.
+     *
+     * @param timeoutSec timeout value in seconds, 0 to 3600 inclusive.
+     *        A value of 0 disables the timeout (default behavior).
+     *
+     * @throws WolfCryptException if HAVE_IO_TIMEOUT is not compiled
+     *         into native wolfSSL
+     * @throws IllegalArgumentException if timeoutSec is negative or
+     *         exceeds 3600 seconds
+     */
+    public static void setIOTimeout(int timeoutSec) {
+
+        if (timeoutSec < 0) {
+            throw new IllegalArgumentException(
+                "Timeout value must not be negative");
+        }
+
+        if (timeoutSec > MAX_IO_TIMEOUT_SEC) {
+            throw new IllegalArgumentException(
+                "Timeout value must not exceed " +
+                MAX_IO_TIMEOUT_SEC + " seconds");
+        }
+
+        nativeSetIOTimeout(timeoutSec);
+    }
+
     /**
      * Constant time byte array comparison.
      *
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXRevocationCheckerTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXRevocationCheckerTest.java
index 729c48b3..004f0d35 100644
--- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXRevocationCheckerTest.java
+++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXRevocationCheckerTest.java
@@ -23,6 +23,7 @@
 
 import static org.junit.Assert.*;
 
+import org.junit.After;
 import org.junit.Assume;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -68,6 +69,15 @@ public class WolfCryptPKIXRevocationCheckerTest {
     @Rule(order = Integer.MIN_VALUE)
     public TestRule testWatcher = TimedTestWatcher.create();
 
+    /**
+     * Clean up wolfjce.ioTimeout system property after each
+     * test to avoid affecting other tests.
+     */
+    @After
+    public void clearIOTimeoutProperty() {
+        System.clearProperty("wolfjce.ioTimeout");
+    }
+
     /**
      * Test if this environment is Android.
      * @return true if Android, otherwise false
@@ -1023,5 +1033,65 @@ public void testRevocationCheckerInitClearsExceptions() throws Exception {
 
         cm.free();
     }
+
+    @Test(timeout = 15000)
+    public void testRevocationCheckerIOTimeoutLowValue()
+        throws Exception {
+
+        if (!WolfCrypt.OcspEnabled()) {
+            /* Skip test if OCSP not compiled in */
+            return;
+        }
+
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            /* Skip test if HAVE_IO_TIMEOUT not compiled in */
+            return;
+        }
+
+        CertPathValidator cpv = CertPathValidator.getInstance("PKIX", provider);
+        WolfCryptPKIXRevocationChecker checker =
+            (WolfCryptPKIXRevocationChecker)cpv.getRevocationChecker();
+
+        /* Load certs */
+        FileInputStream fis = new FileInputStream(caCertDer);
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        X509Certificate caCert = (X509Certificate)cf.generateCertificate(fis);
+        fis.close();
+
+        fis = new FileInputStream(serverCertDer);
+        X509Certificate serverCert =
+            (X509Certificate)cf.generateCertificate(fis);
+        fis.close();
+
+        /* Set 1 second I/O timeout via system property */
+        System.setProperty("wolfjce.ioTimeout", "1");
+
+        /* Set SOFT_FAIL and override OCSP URL to non-routable address.
+         * 198.51.100.1 (TEST-NET-2, RFC 5737) is not routable, so TCP connect
+         * will hang until timeout kicks in, rather than getting an immediate
+         * connection refused like localhost would. */
+        Set<Option> options = EnumSet.of(Option.SOFT_FAIL);
+        checker.setOptions(options);
+        checker.setOcspResponder(new URI("http://198.51.100.1:12345"));
+
+        /* Create CertManager, load CA, and init */
+        WolfSSLCertManager cm = new WolfSSLCertManager();
+        cm.CertManagerLoadCA(caCert);
+        checker.setCertManager(cm);
+        checker.init(false);
+
+        /* Time the check() call. With 1 second timeout and a non-routable OCSP
+         * URL, should complete quickly. */
+        long startMs = System.currentTimeMillis();
+        checker.check(serverCert, null);
+        long elapsedMs = System.currentTimeMillis() - startMs;
+
+        /* Verify check completed within reasonable time.
+         * Allow 10 sec margin for system overhead/etc. */
+        assertTrue("OCSP check with 1s timeout took " + elapsedMs +
+            "ms, expected < 10000ms", elapsedMs < 10000);
+
+        cm.free();
+    }
 }
 
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptProviderIOTimeoutTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptProviderIOTimeoutTest.java
new file mode 100644
index 00000000..4c194134
--- /dev/null
+++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptProviderIOTimeoutTest.java
@@ -0,0 +1,253 @@
+/* WolfCryptProviderIOTimeoutTest.java
+ *
+ * Copyright (C) 2006-2026 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+package com.wolfssl.provider.jce.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import java.security.Security;
+import java.security.Provider;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXRevocationChecker;
+
+import com.wolfssl.provider.jce.WolfCryptProvider;
+import com.wolfssl.provider.jce.WolfCryptPKIXRevocationChecker;
+import com.wolfssl.wolfcrypt.WolfCrypt;
+import com.wolfssl.wolfcrypt.test.TimedTestWatcher;
+
+/**
+ * Tests for wolfjce.ioTimeout system property handling in
+ * WolfCryptPKIXRevocationChecker.
+ *
+ * The wolfjce.ioTimeout property is read during
+ * WolfCryptPKIXRevocationChecker.init(), which is called
+ * at validation time. This allows the property to be set
+ * or changed after provider registration.
+ *
+ * These tests verify that init() correctly reads and
+ * applies valid property values, and throws
+ * CertPathValidatorException for invalid values.
+ */
+public class WolfCryptProviderIOTimeoutTest {
+
+    @Rule(order = Integer.MIN_VALUE)
+    public TestRule testWatcher = TimedTestWatcher.create();
+
+    @BeforeClass
+    public static void testSetup() {
+        System.out.println(
+            "JCE WolfCryptPKIXRevocationChecker IO Timeout");
+
+        Security.insertProviderAt(
+            new WolfCryptProvider(), 1);
+        Provider p = Security.getProvider("wolfJCE");
+        assertNotNull(p);
+    }
+
+    /**
+     * Clean up wolfjce.ioTimeout system property after each
+     * test to avoid affecting other tests.
+     */
+    @After
+    public void clearProperty() {
+        System.clearProperty("wolfjce.ioTimeout");
+    }
+
+    /**
+     * Helper to create a new revocation checker and call
+     * init(). Uses SOFT_FAIL so init() does not throw if
+     * OCSP is not compiled in.
+     */
+    private WolfCryptPKIXRevocationChecker initChecker()
+        throws Exception {
+
+        WolfCryptPKIXRevocationChecker checker =
+            new WolfCryptPKIXRevocationChecker();
+        checker.setOptions(java.util.EnumSet.of(
+            PKIXRevocationChecker.Option.SOFT_FAIL));
+        checker.init(false);
+        return checker;
+    }
+
+    /* -------------------------------------------------------- */
+    /* Valid value tests - init() should succeed                 */
+    /* -------------------------------------------------------- */
+
+    @Test
+    public void testCheckerValidIOTimeout() throws Exception {
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            return;
+        }
+        /* Set valid timeout, init should not throw */
+        System.setProperty("wolfjce.ioTimeout", "5");
+        WolfCryptPKIXRevocationChecker checker = initChecker();
+        assertNotNull("Checker should not be null", checker);
+    }
+
+    @Test
+    public void testCheckerIOTimeoutZero() throws Exception {
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            return;
+        }
+        /* Zero disables timeout, should succeed */
+        System.setProperty("wolfjce.ioTimeout", "0");
+        WolfCryptPKIXRevocationChecker checker = initChecker();
+        assertNotNull("Checker should not be null", checker);
+    }
+
+    @Test
+    public void testCheckerIOTimeoutMax() throws Exception {
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            return;
+        }
+        /* Max valid value (3600 seconds = 1 hour) */
+        System.setProperty("wolfjce.ioTimeout", "3600");
+        WolfCryptPKIXRevocationChecker checker = initChecker();
+        assertNotNull("Checker should not be null", checker);
+    }
+
+    @Test
+    public void testCheckerNoIOTimeoutProperty()
+        throws Exception {
+
+        /* No property set, init should work normally */
+        System.clearProperty("wolfjce.ioTimeout");
+        WolfCryptPKIXRevocationChecker checker = initChecker();
+        assertNotNull("Checker should not be null", checker);
+    }
+
+    @Test
+    public void testCheckerEmptyIOTimeoutProperty()
+        throws Exception {
+
+        /* Empty string should be ignored, same as not set */
+        System.setProperty("wolfjce.ioTimeout", "");
+        WolfCryptPKIXRevocationChecker checker = initChecker();
+        assertNotNull("Checker should not be null", checker);
+    }
+
+    @Test
+    public void testCheckerIOTimeoutSetAfterConstruction()
+        throws Exception {
+
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            return;
+        }
+
+        /* Verify property is read at init() time, not at
+         * construction time. Create checker first, then set
+         * property, then call init(). */
+        WolfCryptPKIXRevocationChecker checker =
+            new WolfCryptPKIXRevocationChecker();
+        checker.setOptions(java.util.EnumSet.of(
+            PKIXRevocationChecker.Option.SOFT_FAIL));
+
+        /* Set property after checker construction */
+        System.setProperty("wolfjce.ioTimeout", "10");
+
+        /* init() should pick up the property */
+        checker.init(false);
+        assertNotNull("Checker should not be null", checker);
+    }
+
+    @Test
+    public void testCheckerIOTimeoutChangeBetweenInits()
+        throws Exception {
+
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            return;
+        }
+
+        /* Verify property change is picked up on
+         * subsequent init() calls */
+        WolfCryptPKIXRevocationChecker checker =
+            new WolfCryptPKIXRevocationChecker();
+        checker.setOptions(java.util.EnumSet.of(
+            PKIXRevocationChecker.Option.SOFT_FAIL));
+
+        /* First init with 5 second timeout */
+        System.setProperty("wolfjce.ioTimeout", "5");
+        checker.init(false);
+
+        /* Change to 30 seconds and re-init */
+        System.setProperty("wolfjce.ioTimeout", "30");
+        checker.init(false);
+
+        assertNotNull("Checker should not be null", checker);
+    }
+
+    /* -------------------------------------------------------- */
+    /* Invalid value tests - init() should throw                */
+    /* CertPathValidatorException                               */
+    /* -------------------------------------------------------- */
+
+    @Test(expected = CertPathValidatorException.class)
+    public void testCheckerInvalidIOTimeoutNonNumeric()
+        throws Exception {
+
+        /* Non-numeric value should fail init() */
+        System.setProperty("wolfjce.ioTimeout", "abc");
+        initChecker();
+    }
+
+    @Test(expected = CertPathValidatorException.class)
+    public void testCheckerInvalidIOTimeoutFloat()
+        throws Exception {
+
+        /* Float value should fail init() */
+        System.setProperty("wolfjce.ioTimeout", "5.5");
+        initChecker();
+    }
+
+    @Test(expected = CertPathValidatorException.class)
+    public void testCheckerNegativeIOTimeout()
+        throws Exception {
+
+        /* Negative value should fail init() */
+        System.setProperty("wolfjce.ioTimeout", "-1");
+        initChecker();
+    }
+
+    @Test(expected = CertPathValidatorException.class)
+    public void testCheckerIOTimeoutExceedsMax()
+        throws Exception {
+
+        /* Value exceeding max (3600) should fail init() */
+        System.setProperty("wolfjce.ioTimeout", "3601");
+        initChecker();
+    }
+
+    @Test(expected = CertPathValidatorException.class)
+    public void testCheckerIOTimeoutOverflowValue()
+        throws Exception {
+
+        /* Overflow integer value should fail init() */
+        System.setProperty("wolfjce.ioTimeout",
+            "99999999999999");
+        initChecker();
+    }
+}
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfJCETestSuite.java b/src/test/java/com/wolfssl/provider/jce/test/WolfJCETestSuite.java
index c2b0451c..95668770 100644
--- a/src/test/java/com/wolfssl/provider/jce/test/WolfJCETestSuite.java
+++ b/src/test/java/com/wolfssl/provider/jce/test/WolfJCETestSuite.java
@@ -56,7 +56,8 @@
     WolfCryptASN1UtilTest.class,
     WolfSSLKeyStoreTest.class,
     WolfCryptUtilTest.class,
-    WolfCryptServiceLoaderTest.class
+    WolfCryptServiceLoaderTest.class,
+    WolfCryptProviderIOTimeoutTest.class
 })
 
 public class WolfJCETestSuite { }
diff --git a/src/test/java/com/wolfssl/wolfcrypt/test/WolfCryptTest.java b/src/test/java/com/wolfssl/wolfcrypt/test/WolfCryptTest.java
index 447e9fcf..a7e942df 100644
--- a/src/test/java/com/wolfssl/wolfcrypt/test/WolfCryptTest.java
+++ b/src/test/java/com/wolfssl/wolfcrypt/test/WolfCryptTest.java
@@ -1020,5 +1020,101 @@ public void testCertPemToDerConsistentOutput() throws Exception {
         assertArrayEquals("Multiple conversions should produce same result",
                           der2, der3);
     }
+
+    @Test
+    public void testIoTimeoutEnabled() {
+        /* Result depends on wolfSSL compile options, but multiple
+         * calls should return a consistent value */
+        boolean enabled1 = WolfCrypt.IoTimeoutEnabled();
+        boolean enabled2 = WolfCrypt.IoTimeoutEnabled();
+        assertEquals("IoTimeoutEnabled should return consistent value",
+                     enabled1, enabled2);
+    }
+
+    @Test
+    public void testSetIOTimeoutValidValues() {
+
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            System.out.println("Skipping: HAVE_IO_TIMEOUT not enabled");
+            return;
+        }
+
+        /* Test a range of valid values */
+        WolfCrypt.setIOTimeout(0);
+        WolfCrypt.setIOTimeout(1);
+        WolfCrypt.setIOTimeout(5);
+        WolfCrypt.setIOTimeout(30);
+        WolfCrypt.setIOTimeout(3600);
+
+        /* Reset to default (no timeout) */
+        WolfCrypt.setIOTimeout(0);
+    }
+
+    @Test
+    public void testSetIOTimeoutZeroDisables() {
+
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            System.out.println("Skipping: HAVE_IO_TIMEOUT not enabled");
+            return;
+        }
+
+        /* Zero should disable timeout (default behavior) */
+        WolfCrypt.setIOTimeout(0);
+    }
+
+    @Test
+    public void testSetIOTimeoutMaxBoundary() {
+
+        if (!WolfCrypt.IoTimeoutEnabled()) {
+            System.out.println("Skipping: HAVE_IO_TIMEOUT not enabled");
+            return;
+        }
+
+        /* Exactly 3600 should succeed */
+        WolfCrypt.setIOTimeout(3600);
+
+        /* Reset to default */
+        WolfCrypt.setIOTimeout(0);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testSetIOTimeoutNegative() {
+        WolfCrypt.setIOTimeout(-1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testSetIOTimeoutNegativeLarge() {
+        WolfCrypt.setIOTimeout(Integer.MIN_VALUE);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testSetIOTimeoutExceedsMax() {
+        WolfCrypt.setIOTimeout(3601);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testSetIOTimeoutExceedsMaxLarge() {
+        WolfCrypt.setIOTimeout(Integer.MAX_VALUE);
+    }
+
+    @Test
+    public void testSetIOTimeoutNotCompiledIn() {
+
+        if (WolfCrypt.IoTimeoutEnabled()) {
+            /* Feature is available, skip this test */
+            return;
+        }
+
+        /* When HAVE_IO_TIMEOUT is not compiled in, calling
+         * setIOTimeout should throw WolfCryptException */
+        try {
+            WolfCrypt.setIOTimeout(5);
+            fail("Should have thrown WolfCryptException " +
+                 "when HAVE_IO_TIMEOUT not compiled in");
+        }
+        catch (WolfCryptException e) {
+            /* Expected */
+        }
+    }
 }