Skip to content

Commit 8bd520c

Browse files
committed
Address review: clear crypto callback on error, gate SHA-1 to RSA, cryptocb docs, fix comment
1 parent d4271c9 commit 8bd520c

4 files changed

Lines changed: 25 additions & 14 deletions

File tree

.github/workflows/tpm-ssh.yml

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -51,12 +51,17 @@ jobs:
5151
run: |
5252
cd wolfssl
5353
./autogen.sh
54-
# certgen/certreq/certext: generate the X.509 host certificate from the
55-
# TPM key. WC_SIG_MIN_HASH_TYPE=SHA: the RSA x509v3-ssh-rsa host cert is
56-
# SHA-1; modern wolfSSL otherwise rejects SHA-1 RSA signatures.
54+
# certgen/certreq/certext/cryptocb: generate the X.509 host certificate
55+
# from the TPM key via the crypto callback.
56+
EXTRA_CFLAGS="-DWC_RSA_NO_PADDING"
57+
# The RSA x509v3-ssh-rsa host cert is SHA-1; modern wolfSSL otherwise
58+
# rejects SHA-1 RSA signatures. Only needed for the RSA cells.
59+
if [ "${{ matrix.keytype }}" = "rsa" ]; then
60+
EXTRA_CFLAGS="$EXTRA_CFLAGS -DWC_SIG_MIN_HASH_TYPE=WC_HASH_TYPE_SHA"
61+
fi
5762
./configure --enable-wolftpm --enable-wolfssh --enable-keygen \
58-
--enable-certgen --enable-certreq --enable-certext \
59-
CFLAGS="-DWC_RSA_NO_PADDING -DWC_SIG_MIN_HASH_TYPE=WC_HASH_TYPE_SHA"
63+
--enable-certgen --enable-certreq --enable-certext --enable-cryptocb \
64+
CFLAGS="$EXTRA_CFLAGS"
6065
make
6166
sudo make install
6267
sudo ldconfig

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -637,6 +637,7 @@ and wolfSSL/wolfTPM built with certificate generation:
637637
wolfSSL
638638
$ ./configure --enable-wolfssh --enable-wolftpm --enable-keygen \
639639
--enable-certgen --enable-certreq --enable-certext \
640+
--enable-cryptocb \
640641
CFLAGS="-DWC_RSA_NO_PADDING"
641642
wolfTPM
642643
$ ./configure --enable-fwtpm --enable-swtpm

examples/tpmcertserver/tpmcertclient.c

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,8 +52,12 @@ static int TpmCcUserAuth(byte authType, WS_UserAuthData* authData, void* ctx)
5252
}
5353

5454

55-
/* The server host key is an X.509 certificate; it was already verified against
56-
* the root CA loaded with wolfSSH_CTX_AddRootCert_buffer(). Accept it. */
55+
/* Host key acceptance callback. wolfSSH verifies the server's X.509 certificate
56+
* chain against the root CA loaded with wolfSSH_CTX_AddRootCert_buffer() later,
57+
* during the key exchange, when it extracts the public key from the certificate.
58+
* Because the client only accepts x509v3 host key algorithms, that CA
59+
* verification is always performed. This callback just accepts the presented
60+
* host key blob. */
5761
static int TpmCcHostKeyCheck(const byte* pubKey, word32 pubKeySz, void* ctx)
5862
{
5963
WOLFSSH_UNUSED(pubKey);

examples/tpmcertserver/tpmcertserver.c

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -146,13 +146,14 @@ static int TpmCsMakeKeyAndCert(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
146146
rc = 0;
147147
}
148148

149-
/* The crypto callback is only needed to self-sign the certificate. Clear
150-
* it before wolfSSH runs: host-key signing uses wolfTPM2_SignHashScheme()
151-
* directly, and a registered callback would route wolfSSH's certificate
152-
* parsing through the TPM. This reset is required, so treat a failure as
153-
* fatal. */
154-
if (rc == 0 && devId != INVALID_DEVID) {
155-
rc = wolfTPM2_ClearCryptoDevCb(dev, devId);
149+
/* The crypto callback is only needed to self-sign the certificate. Always
150+
* clear it (including on error paths) before wolfSSH runs: host-key signing
151+
* uses wolfTPM2_SignHashScheme() directly, and a registered callback would
152+
* route wolfSSH's certificate parsing through the TPM. */
153+
if (devId != INVALID_DEVID) {
154+
int clearRc = wolfTPM2_ClearCryptoDevCb(dev, devId);
155+
if (rc == 0)
156+
rc = clearRc;
156157
}
157158

158159
/* Restore a clean password session on the device. The certificate signing

0 commit comments

Comments
 (0)