Skip to content

Add wc_SignCert_cb API for external signing callbacks #9632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jackctj117 wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add wc_SignCert_cb API for external signing callbacks #9632

jackctj117 wants to merge 10 commits into from
+607 −142

Conversation

@jackctj117
Copy link
Contributor

@jackctj117 jackctj117 commented Jan 8, 2026
edited
Loading

This pull request adds support for signing certificates and CSRs using a user-provided callback function, enabling integration with external signing devices (such as TPMs or HSMs) without relying on the crypto callback infrastructure. This is particularly useful for FIPS-compliant applications and scenarios where offloading cryptographic operations is required. The changes include new API definitions, documentation, internal implementation, and tests for the callback-based signing mechanism.

New Callback-Based Certificate Signing API

  • Introduced the wc_SignCert_cb function and the wc_SignCertCb callback type, allowing certificates and CSRs to be signed via an external callback for flexible integration with devices like TPMs/HSMs. [1] [2] [3]

Internal Implementation

  • Added the internal MakeSignatureCb function to handle hashing, digest encoding, and invoking the user-provided signing callback, supporting both RSA and ECC key types.

Testing
Setup:
TPM simulator: swtpm running on port 2321
Built wolfSSL with: --enable-certgen --enable-certreq --enable-certext --enable-cryptocb
Built wolfTPM with: --enable-swtpm --enable-certgen --enable-debug
Tests Run:
Generated RSA and ECC test keys in TPM
Created CSRs using ./examples/csr/csr
Validated CSRs with openssl req -text -noout
Results:
wc_SignCert_cb compiled into wolfSSL
wolfTPM2_SignCertCb and CSR_MakeAndSign_Cb compiled into wolfTPM
Generated valid RSA (1228 bytes) and ECC (696 bytes) CSRs
CSRs verified successfully with OpenSSL

@jackctj117 jackctj117 self-assigned this Jan 8, 2026
@jackctj117 jackctj117 marked this pull request as draft January 8, 2026 22:22
@jackctj117 jackctj117 mentioned this pull request Jan 8, 2026
Open
@jackctj117 jackctj117 marked this pull request as ready for review January 9, 2026 21:59
@wolfSSL wolfSSL deleted a comment from devin-ai-integration bot Jan 9, 2026
@jackctj117 jackctj117 requested a review from wolfSSL-Bot January 9, 2026 23:30
@dgarske dgarske requested review from dgarske and lealem47 and removed request for wolfSSL-Bot January 14, 2026 16:59
@dgarske
Copy link
Contributor

dgarske commented Jan 14, 2026

Jenkins retest this please. History lost.

dgarske
dgarske requested changes Jan 14, 2026
View reviewed changes
@lealem47 lealem47 requested a review from Copilot January 14, 2026 23:45
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds support for signing certificates and CSRs using a user-provided callback function, enabling integration with external signing devices (TPMs/HSMs) without relying on the crypto callback infrastructure. This is particularly useful for FIPS-compliant applications where offloading cryptographic operations is not acceptable.

Changes:

  • Introduced new wc_SignCert_cb API and wc_SignCertCb callback type for external certificate/CSR signing
  • Refactored internal MakeSignature function to use new MakeSignatureCb internally for RSA and ECC, eliminating code duplication
  • Added configure option --enable-certsigncb to enable the feature

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.

File Description
wolfssl/wolfcrypt/asn_public.h Added public API declarations for the callback-based certificate signing, including typedef for wc_SignCertCb and function declaration for wc_SignCert_cb
wolfcrypt/src/asn.c Implemented internal MakeSignatureCb function and refactored MakeSignature to use callback path for RSA/ECC; added wc_SignCert_cb implementation
tests/api.c Added test case test_wc_SignCert_cb with mock callback to verify the new API functionality
configure.ac Added configuration option --enable-certsigncb to control compilation of the new feature

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jackctj117 jackctj117 requested a review from Copilot January 15, 2026 20:12
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dgarske dgarske self-requested a review January 19, 2026 20:06
@jackctj117 jackctj117 force-pushed the CSR-signing branch 2 times, most recently from 4dd06e1 to 8e28ab2 Compare January 20, 2026 20:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lealem47 lealem47 Awaiting requested review from lealem47

@dgarske dgarske Awaiting requested review from dgarske

Requested changes must be addressed to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

@jackctj117 jackctj117

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jackctj117 @dgarske @wolfSSL-Bot @lealem47