zpcprovider for sign/verify (ecdsa/eddsa)

CMakeLists.txt

@@ -95,6 +95,11 @@ find_package(json-c
     REQUIRED
 )
 
+find_package(OpenSSL
+    3.5.0
+    REQUIRED
+)
+
 add_definitions(
     -D_GNU_SOURCE
 )
@@ -137,6 +142,80 @@ install(
     DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
 )
 
+###########################################################
+# ASN.1
+
+set (ASN1_SOURCES
+  src/asn1.c
+)
+
+add_custom_command(
+  OUTPUT asn1_gen.c
+  COMMAND ${CMAKE_C_COMPILER} -I${OPENSSL_INCLUDE_DIR} -x c -E ${CMAKE_SOURCE_DIR}/src/asn1_gen.c.in
+          | grep -v "^#"
+          | sed -n -e "1,/^BEGIN:$$/!p"
+          | clang-format --assume-filename=.c
+          > asn1_gen.c
+  MAIN_DEPENDENCY ${CMAKE_SOURCE_DIR}/src/asn1_gen.c.in
+  WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+)
+add_custom_target(asn1_gen ALL DEPENDS asn1_gen.c)
+
+add_library(asn1 OBJECT ${ASN1_SOURCES})
+set_property(TARGET asn1 PROPERTY POSITION_INDEPENDENT_CODE ON)
+target_include_directories(asn1 PRIVATE ${OPENSSL_INCLUDE_DIR} ${CMAKE_BINARY_DIR})
+add_dependencies(asn1 asn1_gen)
+
+###########################################################
+# zpcprovider
+
+set(ZPCPROVIDER_SOURCES
+    src/provider.c
+    src/object.c
+    src/uri.c
+    src/map.c
+    src/store.c
+    src/keymgmt.c
+    src/signature.c
+    src/tls.c
+    src/decoder.c
+)
+
+add_library(zpcprovider MODULE ${ZPCPROVIDER_SOURCES})
+set_target_properties(zpcprovider PROPERTIES PREFIX "")
+
+target_include_directories(zpcprovider PRIVATE src include ${OPENSSL_INCLUDE_DIR})
+target_link_libraries(zpcprovider PRIVATE zpc OpenSSL::Crypto $<TARGET_OBJECTS:asn1>)
+
+install(
+    TARGETS zpcprovider
+    LIBRARY DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
+)
+
+set(OPENSSL_CONF
+    ${CMAKE_BINARY_DIR}/openssl.cnf
+)
+set(OPENSSL_CONF_IN
+    ${CMAKE_SOURCE_DIR}/openssl.cnf.in
+)
+set(ZPCPROVIDER_MODULE
+    ${CMAKE_BINARY_DIR}/zpcprovider.so
+)
+configure_file(${OPENSSL_CONF_IN} ${OPENSSL_CONF} @ONLY)
+
+# install(
+#     FILES ${CMAKE_SOURCE_DIR}/man/zpcprovider.cnf.5
+#     DESTINATION ${CMAKE_INSTALL_MANDIR}/man5
+# )
+#
+# install(
+#     FILES ${CMAKE_SOURCE_DIR}/man/zpcprovider.7
+#     DESTINATION ${CMAKE_INSTALL_MANDIR}/man7
+# )
+
+###########################################################
+# Test
+
 option(BUILD_TEST OFF)
 
 if (BUILD_TEST)
@@ -420,6 +499,14 @@ target_include_directories(runtest PRIVATE include src ${GTEST_INCLUDE_DIR})
 include(GoogleTest)
 gtest_discover_tests(runtest)
 
+set (ZPCPROVIDER_TEST_SOURCES
+    test/tprovider.c
+)
+add_executable(runprovidertest ${ZPCPROVIDER_TEST_SOURCES})
+add_dependencies(runprovidertest zpcprovider)
+target_include_directories(runprovidertest PRIVATE src ${OPENSSL_INCLUDE_DIR})
+target_link_libraries(runprovidertest PRIVATE OpenSSL::Crypto $<TARGET_OBJECTS:asn1>)
+
 endif ()
 
 ###########################################################

CONTRIBUTING.md

@@ -1,30 +1,41 @@
 Contributing {#contrib}
 ===
 
-You can contribute to `libzpc` by submitting issues (feature requests, bug reports) or pull requests (code contributions) to the GitHub repository.
+You can contribute to `libzpc` by submitting issues (feature requests, bug
+reports) or pull requests (code contributions) to the GitHub repository.
 
 
 Bug reports
 ---
 
 When filing a bug report, please include all relevant information.
 
-In all cases include the `libzpc` version, operating system and kernel version used.
+In all cases include the `libzpc` version, operating system and kernel version
+used.
 
-Additionally, if it is a build error, include the toolchain version used. If it is a runtime error, include the crypto adapter config and processor model used.
+Additionally, if it is a build error, include the toolchain version used. If it
+is a runtime error, include the crypto adapter config and processor model used.
 
 Ideally, detailed steps on how to reproduce the issue would be included.
 
 
 Code contributions
 ---
 
-All code contributions are reviewed by the `libzpc` maintainers who reverve the right to accept or reject a pull request.
+All code contributions are reviewed by the `libzpc` maintainers who reverve the
+right to accept or reject a pull request.
 
-Please state clearly if your pull request changes the `libzpc` API or ABI, and if so, whether the changes are backward compatible.
+Please state clearly if your pull request changes the `libzpc` API or ABI, and
+if so, whether the changes are backward compatible.
 
-If your pull request resolves an issue, please put a `"Fixes #<issue number>"` line in the commit message. Ideally, the pull request would add a corresponding regression test.
+If your pull request resolves an issue, please put a `"Fixes #<issue number>"`
+line in the commit message. Ideally, the pull request would add a corresponding
+regression test.
 
 If your pull request adds a new feature, please add a corresponding unit test.
 
-The code base is formatted using the `indent` tool with the options specified in the enclosed `.indent.pro` file. All code contributions must not violate this coding style. When formatting `libzpc` code, you can use `indent` with the prescribed options by copying the file to your home directory or by setting the `INDENT_PROFILE` environment variable's value to name the file.
+The code base is formatted using the `indent` tool with the options specified in
+the enclosed `.indent.pro` file. All code contributions must not violate this
+coding style. When formatting `libzpc` code, you can use `indent` with the
+prescribed options by copying the file to your home directory or by setting the
+`INDENT_PROFILE` environment variable's value to name the file.

include/zpc/ecc_key.h

@@ -125,7 +125,7 @@ int zpc_ec_key_set_apqns(struct zpc_ec_key *key, const char *apqns[]);
  */
 __attribute__((visibility("default")))
 int zpc_ec_key_import(struct zpc_ec_key *key, const unsigned char *seckey,
-					unsigned int seckeylen);
+					size_t seckeylen);
 
 /**
  * Import an EC clear-key pair. At least one of the key parts must be non-NULL.
@@ -150,8 +150,8 @@ int zpc_ec_key_import(struct zpc_ec_key *key, const unsigned char *seckey,
  */
 __attribute__((visibility("default")))
 int zpc_ec_key_import_clear(struct zpc_ec_key *key,
-					const unsigned char *pubkey, unsigned int publen,
-					const unsigned char *privkey, unsigned int privlen);
+					const unsigned char *pubkey, size_t publen,
+					const unsigned char *privkey, size_t privlen);
 
 /**
  * Export an EC secure-key. Depending on the key type (CCA or EP11), the secure
@@ -166,7 +166,7 @@ int zpc_ec_key_import_clear(struct zpc_ec_key *key,
  */
 __attribute__((visibility("default")))
 int zpc_ec_key_export(struct zpc_ec_key *key, unsigned char *seckey,
-					unsigned int *seckeylen);
+					size_t *seckeylen);
 
 /**
  * Export an EC public-key.
@@ -180,7 +180,7 @@ int zpc_ec_key_export(struct zpc_ec_key *key, unsigned char *seckey,
  */
 __attribute__((visibility("default")))
 int zpc_ec_key_export_public(struct zpc_ec_key *key, unsigned char *pubkey,
-					unsigned int *pubkeylen);
+					size_t *pubkeylen);
 
 /**
  * Generate an EC secure-key.

include/zpc/ecdsa_ctx.h

@@ -58,8 +58,8 @@ int zpc_ecdsa_ctx_set_key(struct zpc_ecdsa_ctx *ctx, struct zpc_ec_key *key);
  */
 __attribute__((visibility("default")))
 int zpc_ecdsa_sign(struct zpc_ecdsa_ctx *ctx,
-				const unsigned char *hash, unsigned int hash_len,
-				unsigned char *signature, unsigned int *sig_len);
+				const unsigned char *hash, size_t hash_len,
+				unsigned char *signature, size_t *sig_len);
 
 /**
  * Do an ECDSA verify operation.
@@ -72,8 +72,8 @@ int zpc_ecdsa_sign(struct zpc_ecdsa_ctx *ctx,
  */
 __attribute__((visibility("default")))
 int zpc_ecdsa_verify(struct zpc_ecdsa_ctx *ctx,
-				const unsigned char *hash, unsigned int hash_len,
-				const unsigned char *signature, unsigned int sig_len);
+				const unsigned char *hash, size_t hash_len,
+				const unsigned char *signature, size_t sig_len);
 
 /**
  * Free an ECDSA context.

misc/dbg/decoder.gdb

@@ -0,0 +1,5 @@
+set breakpoint pending on
+break decoder_newctx
+break decoder_freectx
+break decoder_pem_hbkzpc_der_decode
+break decoder_der_hbkzpc_ec_decode

misc/dbg/kmgmt.gdb

@@ -0,0 +1,6 @@
+set breakpoint pending on
+break ec_new
+break ec_free
+break ec_load
+break ec_has
+# disable

misc/dbg/store.gdb

@@ -0,0 +1,12 @@
+set breakpoint pending on
+break store_ctx_init
+break store_ctx_free
+break store_ctx_expect
+break store_open
+break store_open_ex
+break store_load
+break store_eof
+break store_close
+break store_set_ctx_params
+break store_settable_ctx_params
+disable

openssl.cnf.in

@@ -0,0 +1,28 @@
+HOME = .
+
+# Use this in order to automatically load providers.
+openssl_conf = openssl_init
+
+config_diagnostics = 1
+
+[openssl_init]
+providers = provider_sect
+alg_section = evp_properties
+
+[provider_sect]
+default = default_sect
+base = base_sect
+hbkzpc = hbkzpc_sect
+
+[evp_properties]
+
+[base_sect]
+activate = 1
+
+[default_sect]
+activate = 1
+
+[hbkzpc_sect]
+module = @ZPCPROVIDER_MODULE@
+identity = hbkzpc
+activate = 1

s390x-tc-debian.cmake

@@ -1,4 +1,5 @@
 set(CMAKE_SYSTEM_NAME Linux)
+set(CMAKE_SYSTEM_PROCESSOR s390x)
 
 set(CMAKE_C_COMPILER   s390x-linux-gnu-gcc)
 set(CMAKE_CXX_COMPILER s390x-linux-gnu-g++)

src/asn1.c

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: MIT
+// Copyright contributors to the libzpc project
+#include "asn1.h"
+
+ASN1_SEQUENCE(ZPCHBK) = {
+	ASN1_EXP(ZPCHBK, desc, ASN1_VISIBLESTRING, 0),
+	ASN1_EXP(ZPCHBK, uri,  ASN1_UTF8STRING,    1),
+} ASN1_SEQUENCE_END(ZPCHBK);
+
+#include "asn1_gen.c"
+
+int i2d_ZPCHBK_bio(BIO *bp, const ZPCHBK *hbkp)
+{
+	return ASN1_i2d_bio_of(ZPCHBK, i2d_ZPCHBK, bp, hbkp);
+}
+
+ZPCHBK *d2i_ZPCHBK_bio(BIO *bp, ZPCHBK **hbkpp)
+{
+	return ASN1_d2i_bio_of(ZPCHBK, ZPCHBK_new, d2i_ZPCHBK,
+			       bp, hbkpp);
+}

src/asn1.h

@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: MIT
+// Copyright contributors to the libzpc project
+#ifndef _ASN1_H
+#define _ASN1_H
+
+#include <openssl/asn1t.h>
+#include <openssl/pem.h>
+
+#define HBKZPC_PEM_STRING	"ZPC HARDWARE BACKED KEY"
+#define HBKZPC_DER_DESC		"HBKZPC Provider URI v1.0"
+
+struct zpc_hardware_backed_key_sequence_st {
+	ASN1_VISIBLESTRING *desc;
+	ASN1_UTF8STRING *uri;
+};
+typedef struct zpc_hardware_backed_key_sequence_st ZPCHBK;
+DECLARE_ASN1_FUNCTIONS(ZPCHBK)
+
+int i2d_ZPCHBK_bio(BIO *bp, const ZPCHBK *hbkp);
+ZPCHBK *d2i_ZPCHBK_bio(BIO *bp, ZPCHBK **hbkpp);
+
+DECLARE_PEM_write_bio(ZPCHBK, ZPCHBK)
+DECLARE_PEM_read_bio(ZPCHBK, ZPCHBK)
+#endif /* _ASN1_H */

src/asn1_gen.c.in

@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: MIT
+// Copyright contributors to the libzpc project
+#include <openssl/asn1t.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+BEGIN:
+IMPLEMENT_ASN1_FUNCTIONS(ZPCHBK)
+IMPLEMENT_PEM_write_bio(ZPCHBK, ZPCHBK, HBKZPC_PEM_STRING, ZPCHBK)
+IMPLEMENT_PEM_read_bio(ZPCHBK, ZPCHBK, HBKZPC_PEM_STRING, ZPCHBK)