Add wc_SignCert_cb API for external signing callbacks#9632
Add wc_SignCert_cb API for external signing callbacks#9632jackctj117 wants to merge 5 commits intowolfSSL:masterfrom
Conversation
dgarske
requested review from
dgarske and
lealem47
and removed request for
wolfSSL-Bot
|
Jenkins retest this please. History lost. |
There was a problem hiding this comment.
Pull request overview
This pull request adds support for signing certificates and CSRs using a user-provided callback function, enabling integration with external signing devices (TPMs/HSMs) without relying on the crypto callback infrastructure. This is particularly useful for FIPS-compliant applications where offloading cryptographic operations is not acceptable.
Changes:
- Introduced new
wc_SignCert_cbAPI andwc_SignCertCbcallback type for external certificate/CSR signing - Refactored internal
MakeSignaturefunction to use newMakeSignatureCbinternally for RSA and ECC, eliminating code duplication - Added configure option
--enable-certsigncbto enable the feature
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| wolfssl/wolfcrypt/asn_public.h | Added public API declarations for the callback-based certificate signing, including typedef for wc_SignCertCb and function declaration for wc_SignCert_cb |
| wolfcrypt/src/asn.c | Implemented internal MakeSignatureCb function and refactored MakeSignature to use callback path for RSA/ECC; added wc_SignCert_cb implementation |
| tests/api.c | Added test case test_wc_SignCert_cb with mock callback to verify the new API functionality |
| configure.ac | Added configuration option --enable-certsigncb to control compilation of the new feature |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jackctj117
force-pushed
the
CSR-signing
branch
2 times, most recently
from
4dd06e1 to
8e28ab2
Compare
|
Jenkins retest this |
|
Jenkins retest this please. |
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
[check-source-text] [2 of 7] [wolfssl]
autogen.sh wolfssl... real 0m17.507s user 0m15.557s sys 0m0.446s
configure... real 0m12.829s user 0m10.049s sys 0m2.680s
trailing whitespace:
./wolfcrypt/src/asn.c:32089:/* Make signature from buffer (sz), write to sig (sigSz)·
./wolfcrypt/src/asn.c:32100:····
./wolfcrypt/src/asn.c:32119:········
./wolfcrypt/src/asn.c:32125:········
./wolfcrypt/src/asn.c:32137:········
C++-style comments:
./wolfssl/wolfcrypt/asn_public.h:269: // Perform signing using external device/HSM
./wolfssl/wolfcrypt/asn_public.h:601: // Initialize cert and set subject, etc.
./wolfssl/wolfcrypt/asn_public.h:603: // ... set cert fields ...
./wolfssl/wolfcrypt/asn_public.h:605: // Make certificate body
./wolfssl/wolfcrypt/asn_public.h:608: // Sign using callback
unescaped error code operands (missing WC_NO_ERR_TRACE()):
wolfcrypt/src/asn.c:32016: int ret = ALGO_ID_E;
|
Jenkins retest this please. |
jackctj117
force-pushed
the
CSR-signing
branch
from
2cf03da to
6483a4b
Compare
jackctj117
force-pushed
the
CSR-signing
branch
from
6483a4b to
8b5bd3b
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Jenkins retest this please. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 7 changed files in this pull request and generated 11 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
@jackctj117 please review each of the copilot reviews and mark them resolved if they are solved. It looks like there might a few that need fixed still.
|
@dgarske Just went through and confirmed the resolved comments. |
4 participants
This pull request adds support for signing certificates and CSRs using a user-provided callback function, enabling integration with external signing devices (such as TPMs or HSMs) without relying on the crypto callback infrastructure. This is particularly useful for FIPS-compliant applications and scenarios where offloading cryptographic operations is required. The changes include new API definitions, documentation, internal implementation, and tests for the callback-based signing mechanism.
New Callback-Based Certificate Signing API
wc_SignCert_cbfunction and thewc_SignCertCbcallback type, allowing certificates and CSRs to be signed via an external callback for flexible integration with devices like TPMs/HSMs. [1] [2] [3]Internal Implementation
MakeSignatureCbfunction to handle hashing, digest encoding, and invoking the user-provided signing callback, supporting both RSA and ECC key types.Testing
Setup:
TPM simulator: swtpm running on port 2321
Built wolfSSL with: --enable-certgen --enable-certreq --enable-certext --enable-cryptocb
Built wolfTPM with: --enable-swtpm --enable-certgen --enable-debug
Tests Run:
Generated RSA and ECC test keys in TPM
Created CSRs using ./examples/csr/csr
Validated CSRs with openssl req -text -noout
Results:
wc_SignCert_cb compiled into wolfSSL
wolfTPM2_SignCertCb and CSR_MakeAndSign_Cb compiled into wolfTPM
Generated valid RSA (1228 bytes) and ECC (696 bytes) CSRs
CSRs verified successfully with OpenSSL