Add TPM support for wc_SignCert_cb callback API #450
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prereq PR: wolfSSL/wolfssl#9632
This pull request introduces a new callback-based approach for TPM-based certificate and CSR signing, which is recommended for FIPS compliance and simplifies the signing process. The changes add a dedicated internal signing callback and supporting context structure, update the main CSR signing function to select between the new and legacy approaches based on the device ID, and provide thorough documentation for both methods.
Callback-based TPM signing enhancements:
wolfTPM2_SignCertCb, an internal callback that implements thewc_SignCertCbinterface, enabling direct TPM-based signing for both RSA and ECC keys without relying on wolfCrypt crypto callbacks. This supports FIPS compliance and simplifies the code path.CSR_MakeAndSign_Cb, a new internal function that generates and signs CSRs or self-signed certificates using the callback-based approach, leveraging the new signing callback for direct TPM operations.TpmSignCbCtxstructure inwolftpm/tpm2_wrap.hto hold TPM device and key references for use with the signing callback.Main CSR signing function update:
wolfTPM2_CSR_MakeAndSign_exto select the callback-based signing approach whendevIdisINVALID_DEVID, and fall back to the legacy crypto callback method for backward compatibility. This includes logic to determine key type and set signature type appropriately. [1] [2]Documentation improvements:
csr.cdescribing both the new callback-based and legacy crypto callback approaches for TPM certificate signing, including usage recommendations and instructions.Testing
Setup:
TPM simulator: swtpm running on port 2321
Built wolfSSL with: --enable-certgen --enable-certreq --enable-certext --enable-cryptocb
Built wolfTPM with: --enable-swtpm --enable-certgen --enable-debug
Tests Run:
Generated RSA and ECC test keys in TPM
Created CSRs using ./examples/csr/csr
Validated CSRs with openssl req -text -noout
Results:
wc_SignCert_cb compiled into wolfSSL
wolfTPM2_SignCertCb and CSR_MakeAndSign_Cb compiled into wolfTPM
Generated valid RSA (1228 bytes) and ECC (696 bytes) CSRs
CSRs verified successfully with OpenSSL