chore(deps): bump github.com/emmansun/gmsm from 0.41.0 to 0.41.1 in /nhp

[dependabot]

Bumps github.com/emmansun/gmsm from 0.41.0 to 0.41.1.

Release notes

Sourced from github.com/emmansun/gmsm's releases.

v0.41.1

This patch release focuses on security hardening and compatibility improvements since v0.41.0, with a key fix for SM9 input validation in decryption, key unwrapping, signature verification, and key exchange flows.

Highlights

• Hardened SM9 by rejecting infinity points in decrypt, unwrap, verify, and key exchange operations
• Improved DRBG robustness
• Added warnings for broken or weak cryptographic algorithms
• Improved certificate compatibility with support for explicit curve parameters in ECDSA certificates
• Refined documentation for SM2 and updated project README files
• Updated dependencies and CI tooling

Security

• Fixed SM9 validation to reject infinity points in sensitive cryptographic paths
• Hardened DRBG behavior
• Added warning messages for broken or weak cryptographic algorithms

Compatibility and X.509

• Added support for explicit curve parameters as defined in RFC 3279 for ECDSA certificates
• Improved SM2-related certificate handling and test coverage
• Expanded smx509 test coverage

Internal Improvements

• Refactored KDF implementation
• Switched internal random utility usage to math/rand/v2
• Cleaned up package comments for SLH-DSA, ML-DSA, and ML-KEM packages
• Removed go1.24-specific build tag constraints from several PQC packages

Documentation

• Rewrote the SM2 documentation
• Updated the English SM2 documentation
• Refreshed README and README-EN content

Dependencies and CI

• Updated golang.org/x/crypto to 0.48.0
• Updated github/codeql-action through 4.32.6
• Updated step-security/harden-runner to 2.15.1
• Updated actions/setup-go to 6.3.0
• Updated actions/upload-artifact to 7.0.0
• Updated docker/setup-qemu-action to 4.0.0

Contributors

Thanks to all contributors in this release:

... (truncated)

Commits

• 3ffef87 Merge pull request #453 from emmansun/develop
• 44e0ea0 Merge pull request #452 from emmansun/main
• 1085b2e SM9: reject infinity points in decrypt, unwrap, verify, and key exchange
• 38d3d93 Merge pull request #450 from emmansun/dependabot/github_actions/develop/step-...
• a92f3ce Merge pull request #449 from emmansun/dependabot/github_actions/develop/githu...
• 1b8ef15 build(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1
• 3b46343 build(deps): bump github/codeql-action from 4.32.5 to 4.32.6
• 0d2c3e6 Merge pull request #448 from emmansun/dependabot/github_actions/develop/docke...
• b04963c build(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0
• bf38540 Merge pull request #447 from emmansun/dependabot/github_actions/develop/githu...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

Review: Dependency Bump — github.com/emmansun/gmsm 0.41.0 → 0.41.1

✅ Approved — Clean patch-version dependency update with no concerns.

Changes Reviewed

• nhp/go.mod: Version pin updated (1 line)
• nhp/go.sum: Hashes updated for new version (2 lines)

Assessment

This patch release is a net security improvement for the project:

• SM9 hardening: Rejects infinity points in decrypt, unwrap, verify, and key exchange — closes a class of invalid-point attacks
• DRBG hardening: Improved deterministic random bit generator behavior
• Weak algo warnings: Added deprecation warnings for broken/weak algorithms
• Updated transitive dep golang.org/x/crypto to 0.48.0

No API-breaking changes. The companion PR for /endpoints (#1454) has already been merged. This completes the upgrade across both modules.

Verified: go.sum hashes match the expected Dependabot-generated checksums for v0.41.1.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@          Coverage Diff          @@
##            main   #1453   +/-   ##
=====================================
  Coverage   0.57%   0.57%           
=====================================
  Files         87      87           
  Lines      12535   12535           
=====================================
  Hits          72      72           
  Misses     12457   12457           
  Partials       6       6           

Flag	Coverage Δ
unittests	0.57% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.