Skip to content

Add wc_SignCert_cb API for external signing callbacks #9632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jackctj117 wants to merge 10 commits into
base: master
Choose a base branch
from
+607 −142
Open

Add wc_SignCert_cb API for external signing callbacks #9632

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
40a19a9
Add wc_SignCert_cb API for external signing callbacks
jackctj117 Jan 8, 2026
4067062
removed idx, added to test matrix
jackctj117 Jan 8, 2026
0c14c34
Fix test_wc_SignCert_cb: pass RNG for ECC signing
jackctj117 Jan 9, 2026
15df776
FIX: (word32) cast
jackctj117 Jan 9, 2026
2a6ef31
Add --enable-certsigncb build option and eliminate cert signing dupli…
jackctj117 Jan 14, 2026
5bab5c3
Guard wc_SignCert_cb test with WOLFSSL_CERT_SIGN_CB to fix CI failures
jackctj117 Jan 14, 2026
c444d9f
Fix for when RSA is enabled
jackctj117 Jan 14, 2026
7e7e637
Fix cert sign callback issues: heap usage, documentation, and test RNG
jackctj117 Jan 15, 2026
8e28ab2
Address Copilot feedback: clarify typedef and fix error codes for uns…
jackctj117 Jan 15, 2026
235bf85
Fixes for failed rebase
jackctj117 Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4588,6 +4588,19 @@ then
fi


# CERT SIGN CALLBACK
AC_ARG_ENABLE([certsigncb],
[AS_HELP_STRING([--enable-certsigncb],[Enable cert signing callback API for TPM/HSM (default: disabled)])],
[ ENABLED_CERTSIGNCB=$enableval ],
[ ENABLED_CERTSIGNCB=no ]
)

if test "$ENABLED_CERTSIGNCB" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_SIGN_CB"
fi


# SEP
AC_ARG_ENABLE([sep],
[AS_HELP_STRING([--enable-sep],[Enable sep extensions (default: disabled)])],
Expand Down
122 changes: 122 additions & 0 deletions tests/api.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19611,6 +19611,125 @@ static int test_MakeCertWithCaFalse(void)
return EXPECT_RESULT();
}

/* Mock callback for testing wc_SignCert_cb */
#if defined(WOLFSSL_CERT_SIGN_CB) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_REQ))
/* Context structure for mock signing callback */
typedef struct {
void* key; /* Pointer to RSA or ECC key */
WC_RNG* rng; /* Random number generator (required for ECC) */
} MockSignCtx;

static int mockSignCb(const byte* in, word32 inLen, byte* out, word32* outLen,
int sigAlgo, int keyType, void* ctx)
{
int ret = 0;
MockSignCtx* signCtx = (MockSignCtx*)ctx;

if (signCtx == NULL || signCtx->key == NULL || in == NULL ||
out == NULL || outLen == NULL) {
return BAD_FUNC_ARG;
}

(void)sigAlgo;

#ifndef NO_RSA
if (keyType == RSA_TYPE) {
RsaKey* rsaKey = (RsaKey*)signCtx->key;
word32 outSz = *outLen;

/* For RSA, input is DER-encoded digest (DigestInfo structure) */
ret = wc_RsaSSL_Sign(in, inLen, out, outSz, rsaKey, signCtx->rng);
if (ret > 0) {
*outLen = (word32)ret;
ret = 0;
}
}
else
#endif
#ifdef HAVE_ECC
if (keyType == ECC_TYPE) {
ecc_key* eccKey = (ecc_key*)signCtx->key;
word32 outSz = *outLen;

/* For ECC, input is raw hash, sign it (RNG required for ECDSA k value) */
ret = wc_ecc_sign_hash(in, inLen, out, &outSz, signCtx->rng, eccKey);
if (ret == 0) {
*outLen = outSz;
}
}
else
#endif
{
ret = BAD_FUNC_ARG;
}

return ret;
}
#endif

#ifdef WOLFSSL_CERT_SIGN_CB
static int test_wc_SignCert_cb(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_CERT_GEN) && defined(HAVE_ECC) && !defined(NO_ASN_TIME)
Cert cert;
byte der[FOURK_BUF];
int derSize = 0;
WC_RNG rng;
ecc_key key;
MockSignCtx signCtx;
int ret;

XMEMSET(&rng, 0, sizeof(WC_RNG));
XMEMSET(&key, 0, sizeof(ecc_key));
XMEMSET(&cert, 0, sizeof(Cert));
XMEMSET(&signCtx, 0, sizeof(MockSignCtx));

ExpectIntEQ(wc_InitRng(&rng), 0);
ExpectIntEQ(wc_ecc_init(&key), 0);
ExpectIntEQ(wc_ecc_make_key(&rng, 32, &key), 0);
ExpectIntEQ(wc_InitCert(&cert), 0);

(void)XSTRNCPY(cert.subject.country, "US", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.state, "state", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.locality, "locality", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.org, "org", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.unit, "unit", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.commonName, "www.example.com",
CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.email, "test@example.com", CTC_NAME_SIZE);

cert.selfSigned = 1;
cert.isCA = 0;
cert.sigType = CTC_SHA256wECDSA;

/* Make cert body */
ExpectIntGT(wc_MakeCert(&cert, der, FOURK_BUF, NULL, &key, &rng), 0);

/* Setup signing context with key and RNG */
signCtx.key = &key;
signCtx.rng = &rng;

/* Sign using callback API */
ExpectIntGT(derSize = wc_SignCert_cb(cert.bodySz, cert.sigType, der,
FOURK_BUF, ECC_TYPE, mockSignCb, &signCtx, &rng), 0);

/* Verify the certificate was created properly */
ExpectIntGT(derSize, 0);

/* Test error cases */
ExpectIntEQ(wc_SignCert_cb(cert.bodySz, cert.sigType, der,
FOURK_BUF, ECC_TYPE, NULL, &signCtx, &rng), BAD_FUNC_ARG);

ret = wc_ecc_free(&key);
ExpectIntEQ(ret, 0);
ret = wc_FreeRng(&rng);
ExpectIntEQ(ret, 0);
#endif
return EXPECT_RESULT();
}
#endif /* WOLFSSL_CERT_SIGN_CB */

static int test_ERR_load_crypto_strings(void)
{
#if defined(OPENSSL_ALL)
Expand Down Expand Up @@ -31082,6 +31201,9 @@ TEST_CASE testCases[] = {
TEST_DECL(test_MakeCertWithPathLen),
TEST_DECL(test_MakeCertWith0Ser),
TEST_DECL(test_MakeCertWithCaFalse),
#ifdef WOLFSSL_CERT_SIGN_CB
TEST_DECL(test_wc_SignCert_cb),
#endif
TEST_DECL(test_wc_SetKeyUsage),
TEST_DECL(test_wc_SetAuthKeyIdFromPublicKey_ex),
TEST_DECL(test_wc_SetSubjectBuffer),
Expand Down
Loading