Topic: Signing question with wolftpm


I've already integrated wolfsll with vaultic 405 cryptographic chip and, now, I need to add a tpm 2.0 (nuvoton npct750). In my applicacion, I use wolfssl to sign a very very big CMS file. I already touched wolfssl (and is working 4 years to now) to:
1. receive the data to sign in a stream rather than in a blob
2. sign the content using the private key stored in vaultic.

Now, I'm using wolftpm to access nuvoton and because I'm using wolfssl, I need to use the TPM module to ONLY perform the "encryption with the private key", nothing more (without any extra hashing or padding, simply encryption).

The code I'm using is the following (it is called from inside wolfssl's rsa implementation);

int nuvoton_make_signature(const byte* in, word32 inLen, byte* out, word32* outLen)
    int outSz = (int) * outLen;
    int rc;

    rc = wolfTPM2_SignHashScheme(
        TPM_ALT_RSASSA,           // 'sigAlg'
        TPM_ALG_SHA256);         // 'hashAlg'
    *outLen = outSz;

    return rc;

It works fine (the call is returning rc==0) but the result is not a correct signature. I'm supposing than it is adding an extra padding or something else but I'm not sure the correct values for 'sigAlg' and 'hashAlg' parameters.

Could you help me, please?

Thanks in advance!

BTW: Thank you for wolftpm!!! It is amazing!


Re: Signing question with wolftpm

Hello Federico,

We are delighted to hear that you are finding the wolfTPM library useful!

To accomplish an encrypt operation without padding, you can use wolfTPM2_RsaEncrypt with the padScheme parameter set to TPM_ALG_NULL.

Here is an example: … #L326-L342

Let us know if there are questions.

Eric @ wolfSSL Support

Re: Signing question with wolftpm

hi Eric,

Thank you for your quick answer!!!

Before testing.... Are you sure? Rsa encryptinng typically imply encrypting using the PUBLIC key,

I need to encrypt using the PRIVATE key.... (formerly known as "signing") without any extra padding or else.



Re: Signing question with wolftpm

For a private key, you can use wolfTPM2_RsaDecrypt