Add TPM support for wc_SignCert_cb callback API

[jackctj117]

Prereq PR: wolfSSL/wolfssl#9632
This pull request introduces a new callback-based approach for TPM-based certificate and CSR signing, which is recommended for FIPS compliance and simplifies the signing process. The changes add a dedicated internal signing callback and supporting context structure, update the main CSR signing function to select between the new and legacy approaches based on the device ID, and provide thorough documentation for both methods.

Callback-based TPM signing enhancements:

• Added wolfTPM2_SignCertCb, an internal callback that implements the wc_SignCertCb interface, enabling direct TPM-based signing for both RSA and ECC keys without relying on wolfCrypt crypto callbacks. This supports FIPS compliance and simplifies the code path.
• Introduced CSR_MakeAndSign_Cb, a new internal function that generates and signs CSRs or self-signed certificates using the callback-based approach, leveraging the new signing callback for direct TPM operations.
• Defined the TpmSignCbCtx structure in wolftpm/tpm2_wrap.h to hold TPM device and key references for use with the signing callback.

Main CSR signing function update:

• Updated wolfTPM2_CSR_MakeAndSign_ex to select the callback-based signing approach when devId is INVALID_DEVID, and fall back to the legacy crypto callback method for backward compatibility. This includes logic to determine key type and set signature type appropriately. [1] [2]

Documentation improvements:

• Added detailed comments in csr.c describing both the new callback-based and legacy crypto callback approaches for TPM certificate signing, including usage recommendations and instructions.

Dependent on wolfSSL/wolfssl#9632

Testing
Setup:
TPM simulator: swtpm running on port 2321
Built wolfSSL with: --enable-certgen --enable-certreq --enable-certext --enable-cryptocb
Built wolfTPM with: --enable-swtpm --enable-certgen --enable-debug
Tests Run:
Generated RSA and ECC test keys in TPM
Created CSRs using ./examples/csr/csr
Validated CSRs with openssl req -text -noout
Results:
wc_SignCert_cb compiled into wolfSSL
wolfTPM2_SignCertCb and CSR_MakeAndSign_Cb compiled into wolfTPM
Generated valid RSA (1228 bytes) and ECC (696 bytes) CSRs
CSRs verified successfully with OpenSSL

[Copilot]

Pull request overview

This PR introduces a new callback-based approach for TPM certificate and CSR signing to improve FIPS compliance and simplify the signing process. The implementation adds a direct TPM signing callback that bypasses wolfCrypt crypto callbacks when devId is INVALID_DEVID, while maintaining backward compatibility with the legacy crypto callback approach.

Changes:

• Added wolfTPM2_SignCertCb callback function and TpmSignCbCtx structure for direct TPM-based signing
• Implemented CSR_MakeAndSign_Cb function to generate and sign CSRs/certificates using the callback approach
• Updated wolfTPM2_CSR_MakeAndSign_ex to select between callback-based and legacy approaches based on devId

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
wolftpm/tpm2_wrap.h	Added TpmSignCbCtx structure to hold TPM device and key references for the signing callback
src/tpm2_wrap.c	Implemented wolfTPM2_SignCertCb callback, CSR_MakeAndSign_Cb function, and updated main CSR signing logic
examples/csr/csr.c	Added comprehensive documentation explaining both callback-based and crypto callback approaches

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dgarske]

Please add a CI test that enables the WOLFSSL_CERT_SIGN_CB wolfSSL option so we get coverage on this.

[dgarske]

Looks good thanks!

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aidangarske]

Nice job with this I have some nits and changes.

I verified this run and test with RSA and ECC and CSR generation and OpenSSL validation passes. The CI currently tests compilation but not the actual new callback code path. The missing SKID extension could cause issues for users who rely on that extension being present in their CSRs.

Also Another thing to consider is updating wolfTPM2_CSR_Generate_ex() to also support the callback-based approach for consistency, or document that only wolfTPM2_CSR_MakeAndSign_ex() supports the new path.