zpcprovider for sign/verify (ecdsa/eddsa) by holger-dengler · Pull Request #41 · opencryptoki/libzpc

holger-dengler · 2026-04-10T15:05:26Z

This PR requires PR #40.

This PR adds OpenSSL provider support for libzpc. This first version covers the main functionality for store, keymgmt, sign/verify and decoder support.

As the series add a lot of new code, it is split into many commits to make the review (hopefully) a bit easier.

ToDo:

public key support for store/decoder
alloc/free needs some debugging

Restriction:

the tests uses hard-coded public keys, so running tests on other machines require code changes in tprovider.c.
the provider only supports uv origins, so testing is limited to SEL environments.

ifranzki · 2026-04-13T06:49:57Z

Are you looking at the Travis build failures? You might need to build OpenSSL from source to have a 3.5.0 version to build against.

holger-dengler · 2026-04-13T07:03:06Z

Yes, a fix for the travis is in progress. It looks like travis only provides 3.0 out of the box. So I'll build my own. At least 3.5, better 4.0.

holger-dengler · 2026-05-02T16:09:50Z

The update contains:

re-order of the commits (move test to the end of the series)
rework of signature/eddsa
pick review comments
minor fixes

holger-dengler · 2026-05-02T17:45:24Z

Another update (force push) to remove the merge conflicts and add a fix for travis.

ifranzki · 2026-05-04T07:13:38Z

I would suggest to also add tests that utilize the openssl application to use protected key origins. For example, creating/signing a certificate with a protected key origin specified via URI or PEM using openssl x509 -in cert.csr -out cert.pem -req -signkey <protected key origin> -days 1001.

holger-dengler · 2026-05-04T08:03:54Z

I would suggest to also add tests that utilize the openssl application to use protected key origins. For example, creating/signing a certificate with a protected key origin specified via URI or PEM using openssl x509 -in cert.csr -out cert.pem -req -signkey <protected key origin> -days 1001.

I plan to rework the test. tprovider will be renamed (t_provider) and changed to do only the lookup for the provider components. All key-related functional test will be moved to a new t_openssl test script, which uses openssl to create keys and call the functions. such a split is required to run the tests in a CI.

ifranzki · 2026-05-05T08:19:49Z

I would move the provider sources into a subdirectory, e.g. src/provider/. Maybe even move the library sources into a subdirectory e.g. src/lib/.

holger-dengler · 2026-05-05T08:44:36Z

I would postpone the source code restructuring until the provider transition is done (symmetric cipher, secure-key origins etc). There will be eventually also some removal of no longer used code.

ifranzki · 2026-05-06T06:03:10Z

@@ -0,0 +1,28 @@
+HOME = .


How about installing OpenSSL config snippets into /etc/pki/tls/openssl.d/ ? That way the user does not have to manually edit the OpenSSL config file, but the config snippet for your provider is automatically included, due to

#Place the third party provider configuration files into this folder .include /etc/pki/tls/openssl.d

It is planned for the next PR version. IMHO we need both, the current one for stand-alone testing purposes (without installing the provider), and the snippet for the install. For the latter I need to find out, how to get the OpenSSL module-directory.

Not yet included.

Introduce a asymmetric key management to map the provider-specific key object to a intern zpc-key. Not supported: - key generation - key import/export Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add helpers to generate DER-encoded algorithm-ids based on key and digest information. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add signature algorithms for sign/verify with ECDSA and EDDSA keys. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add the supported TLS properties of the hbkzpc provider. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The ASN.1 module provides DER en-/decoding for hbkzpc-URIs. These functions are required for the decoder/encoder support. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add internal object build target for ASN.1 module. The internal object can be shared between targets. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add decoders for PEM and DER to support hbkzpc-URI files. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

To use the zpc functionality via the OpenSSL API, the zpc provider has to be defined in the OpenSSL configuration. The build configures the template and creates a `openssl.cnf` file, which can be used for test purposes. The configuration file will be created in the build output folder. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add provider test framework with a base retrieval of the hbkzpc provider. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Integrate new provider testcases for builds with test enabled. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add tests for the sore-loader. It covers mainly the open()/load()/eof() sequence. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add test for loading a EVP PKEY object from a hbkzpc-URI via store and keymgmt. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add sign/verify tests for full and pre-hashed messages. The verification is checked across both variants. Note: The test covers only ECDSA and uses a hard-coded key origin. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add tests for the DER encoding. It takes the hard-coded ECDSA key and stores it as a file. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add simple decoder fetch test. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add tests to use hbkzpc-URI file for sign/verify (instead of loading the URI via store). Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

holger-dengler requested review from fcallies and ifranzki April 10, 2026 15:05

holger-dengler commented Apr 13, 2026

View reviewed changes

Comment thread src/uri.c Outdated

ifranzki reviewed Apr 13, 2026

View reviewed changes

Comment thread src/provider.c Outdated

ifranzki reviewed Apr 13, 2026

View reviewed changes

Comment thread src/object.h Outdated

ifranzki reviewed Apr 13, 2026

View reviewed changes

Comment thread src/signature.c Outdated

ifranzki reviewed Apr 14, 2026

View reviewed changes

Comment thread src/signature.c

holger-dengler force-pushed the provider-sign branch 2 times, most recently from 7c72889 to 1659e06 Compare May 2, 2026 15:53

holger-dengler requested a review from ifranzki May 2, 2026 16:10

holger-dengler force-pushed the provider-sign branch from 9258c6f to 6d1b3d8 Compare May 2, 2026 17:44

holger-dengler mentioned this pull request May 2, 2026

new tool zpckey for UV key origins #43

Open

ifranzki reviewed May 4, 2026

View reviewed changes

Comment thread CMakeLists.txt Outdated

ifranzki reviewed May 4, 2026

View reviewed changes

Comment thread src/provider.c Outdated

ifranzki reviewed May 4, 2026

View reviewed changes

Comment thread src/provider.c Outdated

ifranzki reviewed May 4, 2026

View reviewed changes

Comment thread src/provider.c Outdated

ifranzki reviewed May 4, 2026

View reviewed changes

Comment thread src/provider.c Outdated

ifranzki reviewed May 5, 2026

View reviewed changes

Comment thread src/keymgmt.c

ifranzki reviewed May 5, 2026

View reviewed changes

Comment thread src/keymgmt.c

ifranzki reviewed May 5, 2026

View reviewed changes

Comment thread src/keymgmt.c

ifranzki reviewed May 6, 2026

View reviewed changes

holger-dengler force-pushed the provider-sign branch from 6d1b3d8 to 690f619 Compare May 11, 2026 07:28