zpcprovider for sign/verify (ecdsa/eddsa)#41

Open

holger-dengler wants to merge 36 commits intoopencryptoki:mainfrom

holger-dengler:provider-sign

Contributor

holger-dengler commented Apr 10, 2026

This PR requires PR #40.

This PR adds OpenSSL provider support for libzpc. This first version covers the main functionality for store, keymgmt, sign/verify and decoder support.

As the series add a lot of new code, it is split into many commits to make the review (hopefully) a bit easier.

ToDo:

public key support for store/decoder
alloc/free needs some debugging

Restriction:

the tests uses hard-coded public keys, so running tests on other machines require code changes in tprovider.c.
the provider only supports uv origins, so testing is limited to SEL environments.

holger-dengler added 30 commits

April 10, 2026 14:37


          libzpc: Harmonize length types in ecc API

f8b76e0

In some of the ecc API functions, the buffer length parameters are of
type `unsigned int`. All other API components use `size_t` for such
length parameters. To harmonize with these other APIs, change all
length parameter in ecc functions to type `size_t`.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Add cross-build architecture information

d278e0c

The target architecture is different from the host architecture in
cross-builds. Add the correct information to the s390x toolchain file.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Add test header comment

7c9a4d8

To follow the structure for other sections in the cmake definition, a
comment header is added for the test section.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          CONTRIBUTING: re-format

2ca0af9

Add line-breaks to the contribution rules to increase the readability
without a markdown-reader.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Add OpenSSL package

911117c

The zpc functionality will be exposed via the OpenSSL API. Query the
required OpenSSL package during build.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add base provider

f0d2895

The provider is the base to plug-in further implementation like
key-management, ciphers and so on. It has no functionality itself.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate base provider

ccce480

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          test: Add OpenSSL configuration template

66ad25d

To use the zpc functionality via the OpenSSL API, the zpc provider has
to be defined in the OpenSSL configuration. The build configures the
template and creates a `openssl.cnf` file, which can be used for test
purposes. The configuration file will be created in the build output
folder.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          test: Add provider tests

141e6fb

Add provider test framework with a base retrieval of the hbkzpc
provider.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate provider test

f662444

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add provider-specific key object

3d50465

The provider-specific key object structure is shared between the
provider components and references to the internal zpc-key
structure(s).

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate provider-specific key object

1c3919f

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add hbkzpc-URI parser

e6af4b0

A hbkzpc-URI references a hardware-backed key origin. The parser
destructs the URI into key-value pairs.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate uri

4ed730e

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add mapping helpers

ef6599c

The mapping helpers provide mappings between e.g. algorithm strings
and algorithm-related values.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate mapping helpers

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add store-loader

8e247be

Introduce a store-loader for hbkzpc-URI based keys. The store-loader
creates a provider-specific key object and adds relevant information
from the URI.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate store-loader

6f49dea

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add asymmetric key management

6b205d9

Introduce a asymmetric key management to map the provider-specific key
object to a intern zpc-key.

Not supported:
- key generation
- key import/export

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Add zpc dependency for provider

33f3dcb

The symmetric key-management has a dependency to zpc library
code. Make the build aware of it.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate asymmetric key management

1aa12cf

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          test: Add provider test for store-loader

97b2a0c

Add tests for the sore-loader. It covers mainly the
open()/load()/eof() sequence.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          test: Add provider test for PKEY (store/keymgmt)

01c4e9f

Add test for loading a EVP PKEY object from a hbkzpc-URI via
store and keymgmt.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add signature algorithms

cbf1358

Add signature algorithms for sign/verify with ECDSA and EDDSA keys.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate signature algorithms

767db62

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          test: Add provider test for signature algorithms

2a6c319

Add sign/verify tests for full and pre-hashed messages. The
verification is checked across both variants.

Note: The test covers only ECDSA and uses a hard-coded key origin.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add tls-property helpers

7fd337b

Add the supported TLS properties of the hbkzpc provider.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate tls-property helpers

4c8295c

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          asn1: Add ASN.1 module (definition and functions)

015a0a6

The ASN.1 module provides DER en-/decoding for hbkzpc-URIs. These
functions are required for the decoder/encoder support.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: ASN.1 module integration

bd4d772

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

holger-dengler added 6 commits

April 10, 2026 16:37


          test: Add asn.1 tests

6ccf5ee

Add tests for the DER encoding. It takes the hard-coded ECDSA key and
stores it as a file.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          provider: Add decoders for hbkzpc-URI

1d2edc6

Add decoders for PEM and DER to support hbkzpc-URI files.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          cmake: Integrate decoder implementation

f70038a

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          test: Add decoder tests

37affd1

Add simple decoder fetch test.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          test: Add signature test (PEM)

d84e0c2

Add tests to use hbkzpc-URI file for sign/verify (instead of loading
the URI via store).

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>


          WIP dbg: Add provider gdb-scripts

ab5204e

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

holger-dengler requested review from fcallies and ifranzki

April 10, 2026 15:05

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet