Add TPM support for wc_SignCert_cb callback API#450
Add TPM support for wc_SignCert_cb callback API#450jackctj117 wants to merge 6 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a new callback-based approach for TPM certificate and CSR signing to improve FIPS compliance and simplify the signing process. The implementation adds a direct TPM signing callback that bypasses wolfCrypt crypto callbacks when devId is INVALID_DEVID, while maintaining backward compatibility with the legacy crypto callback approach.
Changes:
- Added
wolfTPM2_SignCertCbcallback function andTpmSignCbCtxstructure for direct TPM-based signing - Implemented
CSR_MakeAndSign_Cbfunction to generate and sign CSRs/certificates using the callback approach - Updated
wolfTPM2_CSR_MakeAndSign_exto select between callback-based and legacy approaches based ondevId
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| wolftpm/tpm2_wrap.h | Added TpmSignCbCtx structure to hold TPM device and key references for the signing callback |
| src/tpm2_wrap.c | Implemented wolfTPM2_SignCertCb callback, CSR_MakeAndSign_Cb function, and updated main CSR signing logic |
| examples/csr/csr.c | Added comprehensive documentation explaining both callback-based and crypto callback approaches |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…) block so it only runs for the new callback path
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
3 participants
Prereq PR: wolfSSL/wolfssl#9632
This pull request introduces a new callback-based approach for TPM-based certificate and CSR signing, which is recommended for FIPS compliance and simplifies the signing process. The changes add a dedicated internal signing callback and supporting context structure, update the main CSR signing function to select between the new and legacy approaches based on the device ID, and provide thorough documentation for both methods.
Callback-based TPM signing enhancements:
wolfTPM2_SignCertCb, an internal callback that implements thewc_SignCertCbinterface, enabling direct TPM-based signing for both RSA and ECC keys without relying on wolfCrypt crypto callbacks. This supports FIPS compliance and simplifies the code path.CSR_MakeAndSign_Cb, a new internal function that generates and signs CSRs or self-signed certificates using the callback-based approach, leveraging the new signing callback for direct TPM operations.TpmSignCbCtxstructure inwolftpm/tpm2_wrap.hto hold TPM device and key references for use with the signing callback.Main CSR signing function update:
wolfTPM2_CSR_MakeAndSign_exto select the callback-based signing approach whendevIdisINVALID_DEVID, and fall back to the legacy crypto callback method for backward compatibility. This includes logic to determine key type and set signature type appropriately. [1] [2]Documentation improvements:
csr.cdescribing both the new callback-based and legacy crypto callback approaches for TPM certificate signing, including usage recommendations and instructions.Dependent on wolfSSL/wolfssl#9632
Testing
Setup:
TPM simulator: swtpm running on port 2321
Built wolfSSL with: --enable-certgen --enable-certreq --enable-certext --enable-cryptocb
Built wolfTPM with: --enable-swtpm --enable-certgen --enable-debug
Tests Run:
Generated RSA and ECC test keys in TPM
Created CSRs using ./examples/csr/csr
Validated CSRs with openssl req -text -noout
Results:
wc_SignCert_cb compiled into wolfSSL
wolfTPM2_SignCertCb and CSR_MakeAndSign_Cb compiled into wolfTPM
Generated valid RSA (1228 bytes) and ECC (696 bytes) CSRs
CSRs verified successfully with OpenSSL