@@ -67,6 +67,30 @@ static const char* gClientCertEccFile = ECC_CERT_PEM;
6767/* --- BEGIN TPM2 CSR Example -- */
6868/******************************************************************************/
6969
70+ /* Certificate/CSR Signing with TPM:
71+ *
72+ * wolfTPM supports two approaches for TPM-based certificate signing:
73+ *
74+ * 1. NEW CALLBACK-BASED APPROACH (Recommended for FIPS):
75+ * When devId is INVALID_DEVID, wolfTPM2_CSR_MakeAndSign_ex() uses the new
76+ * wc_SignCert_cb() API which calls TPM signing functions directly without
77+ * requiring wolfCrypt crypto callbacks. This approach:
78+ * - Uses TPM crypto directly (no wolfCrypt offloading)
79+ * - Is FIPS-compliant (doesn't rely on wolfCrypt crypto callbacks)
80+ * - Simplifies the code path
81+ *
82+ * 2. CRYPTO CALLBACK APPROACH (Legacy/Backward Compatible):
83+ * When devId is set via wolfTPM2_SetCryptoDevCb(), the legacy crypto
84+ * callback infrastructure is used. This approach:
85+ * - Uses wc_SignCert_ex() which offloads crypto operations to TPM
86+ * - Maintains backward compatibility
87+ * - Requires crypto callback setup
88+ *
89+ * This example demonstrates both approaches. By default it uses the crypto
90+ * callback approach. Use the -signcb option to use the new callback-based
91+ * approach, which passes INVALID_DEVID to wolfTPM2_CSR_MakeAndSign_ex().
92+ */
93+
7094static int TPM2_CSR_Generate (WOLFTPM2_DEV * dev , int keyType , WOLFTPM2_KEY * key ,
7195 const char * outputPemFile , int makeSelfSignedCert , int devId , int sigType )
7296{
@@ -149,9 +173,11 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
149173static void usage (void )
150174{
151175 printf ("Expected usage:\n" );
152- printf ("./examples/csr/csr [-cert]\n" );
176+ printf ("./examples/csr/csr [-cert] [-signcb] \n" );
153177 printf ("\t-cert: Make self signed certificate instead of "
154178 "default CSR (Certificate Signing Request)\n" );
179+ printf ("\t-signcb: Use wc_SignCert_cb callback-based signing "
180+ "(FIPS compliant, requires WOLFSSL_CERT_SIGN_CB)\n" );
155181}
156182
157183int TPM2_CSR_Example (void * userCtx )
@@ -168,6 +194,7 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
168194 int tpmDevId ;
169195 TPMT_PUBLIC publicTemplate ;
170196 int makeSelfSignedCert = 0 ;
197+ int useSignCb = 0 ;
171198
172199 printf ("TPM2 CSR Example\n" );
173200
@@ -183,6 +210,9 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
183210 if (XSTRCMP (argv [argc - 1 ], "-cert" ) == 0 ) {
184211 makeSelfSignedCert = 1 ;
185212 }
213+ else if (XSTRCMP (argv [argc - 1 ], "-signcb" ) == 0 ) {
214+ useSignCb = 1 ;
215+ }
186216 else {
187217 printf ("Warning: Unrecognized option: %s\n" , argv [argc - 1 ]);
188218 }
@@ -221,7 +251,8 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
221251 if (rc == 0 ) {
222252 rc = TPM2_CSR_Generate (& dev , RSA_TYPE , & key ,
223253 makeSelfSignedCert ? gClientCertRsaFile : gClientCsrRsaFile ,
224- makeSelfSignedCert , tpmDevId , CTC_SHA256wRSA );
254+ makeSelfSignedCert ,
255+ useSignCb ? INVALID_DEVID : tpmDevId , CTC_SHA256wRSA );
225256 }
226257 wolfTPM2_UnloadHandle (& dev , & key .handle );
227258 wolfTPM2_UnloadHandle (& dev , & storageKey .handle );
@@ -254,7 +285,8 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
254285 if (rc == 0 ) {
255286 rc = TPM2_CSR_Generate (& dev , ECC_TYPE , & key ,
256287 makeSelfSignedCert ? gClientCertEccFile : gClientCsrEccFile ,
257- makeSelfSignedCert , tpmDevId , sigType );
288+ makeSelfSignedCert ,
289+ useSignCb ? INVALID_DEVID : tpmDevId , sigType );
258290 }
259291 wolfTPM2_UnloadHandle (& dev , & key .handle );
260292 wolfTPM2_UnloadHandle (& dev , & storageKey .handle );
0 commit comments