Skip to content

new tool zpckey for UV key origins#43

Open
holger-dengler wants to merge 37 commits into
opencryptoki:mainfrom
holger-dengler:zpckey-uv
Open

new tool zpckey for UV key origins#43
holger-dengler wants to merge 37 commits into
opencryptoki:mainfrom
holger-dengler:zpckey-uv

Conversation

@holger-dengler
Copy link
Copy Markdown
Contributor

@holger-dengler holger-dengler commented May 2, 2026

This PR adds a new tool for managing the key origins for the zpcprovider. It covers key origins for UV retrievable secrets.

The PR is based on #41 , so only the last 3 commits are relevant for the review. This PR should not be merged before the other one.

@holger-dengler
travis: Add OpenSSL custom build
b30816d 
The new dependency to OpenSSL requires a custom built OpenSSL, as long
it is available as distro package.

This workaround can be removed, if OpenSSL v3.5 or later is available
as distro package.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Add OpenSSL package
124570d 
The zpc functionality will be exposed via the OpenSSL API. Query the
required OpenSSL package during build.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add base provider
365ae0e 
The provider is the base to plug-in further implementation like
key-management, ciphers and so on. It has no functionality itself.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate base provider
2749f53 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add provider-specific key object
22734ed 
The provider-specific key object structure is shared between the
provider components and references to the internal zpc-key
structure(s).

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate provider-specific key object
9a303ed 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add hbkzpc-URI parser
11c053f 
A hbkzpc-URI references a hardware-backed key origin. The parser
destructs the URI into key-value pairs.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate uri
7e6194f 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add mapping helpers
bd5f0d5 
The mapping helpers provide mappings between e.g. algorithm strings
and algorithm-related values.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate mapping helpers
3e9ad22 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add store-loader
ad49118 
Introduce a store-loader for hbkzpc-URI based keys. The store-loader
creates a provider-specific key object and adds relevant information
from the URI.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate store-loader
78623d8 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add asymmetric key management
6b4f653 
Introduce a asymmetric key management to map the provider-specific key
object to a intern zpc-key.

Not supported:
- key generation
- key import/export

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate asymmetric key management
06173af 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add algorithm-id helpers
59c885d 
Add helpers to generate DER-encoded algorithm-ids based on key and
digest information.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate algorithm-id helpers
353e0c8 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add signature algorithms
58bdc31 
Add signature algorithms for sign/verify with ECDSA and EDDSA keys.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate signature algorithms
dfb0f70 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add tls-property helpers
cb8233a 
Add the supported TLS properties of the hbkzpc provider.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate tls-property helpers
bdfcbea 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
asn1: Add ASN.1 module (definition and functions)
5b5bf25 
The ASN.1 module provides DER en-/decoding for hbkzpc-URIs. These
functions are required for the decoder/encoder support.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: ASN.1 module integration
bd7e45f 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
provider: Add decoders for hbkzpc-URI
dbe9302 
Add decoders for PEM and DER to support hbkzpc-URI files.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate decoder implementation
47e2fb4 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
test: Add OpenSSL configuration template
7cb7be1 
To use the zpc functionality via the OpenSSL API, the zpc provider has
to be defined in the OpenSSL configuration. The build configures the
template and creates a `openssl.cnf` file, which can be used for test
purposes. The configuration file will be created in the build output
folder.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
test: Add provider tests
bedccdc 
Add provider test framework with a base retrieval of the hbkzpc
provider.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate provider test
4cc3fbb 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
test: Add provider test for store-loader
91ab2ff 
Add tests for the sore-loader. It covers mainly the
open()/load()/eof() sequence.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
test: Add provider test for PKEY (store/keymgmt)
4eb1015 
Add test for loading a EVP PKEY object from a hbkzpc-URI via
store and keymgmt.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
test: Add provider test for signature algorithms
1413181 
Add sign/verify tests for full and pre-hashed messages. The
verification is checked across both variants.

Note: The test covers only ECDSA and uses a hard-coded key origin.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
test: Add asn.1 tests
e6b6231 
Add tests for the DER encoding. It takes the hard-coded ECDSA key and
stores it as a file.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
test: Add decoder tests
cdbf63b 
Add simple decoder fetch test.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
test: Add signature test (PEM)
1238a30 
Add tests to use hbkzpc-URI file for sign/verify (instead of loading
the URI via store).

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
WIP dbg: Add provider gdb-scripts
6d1b3d8 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
uri: Add URI compose function
add69ae 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
tools: Add zpckey management tool
7743b75 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@holger-dengler
cmake: Integrate zpckey
b344b6e 
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
@ifranzki
Copy link
Copy Markdown
Contributor

ifranzki commented May 5, 2026

I would move the zpckey sources into a subdirectory, e.g. src/zpckey/.

ifranzki
ifranzki reviewed May 6, 2026
View reviewed changes
Comment thread src/zpckey.c
@ifranzki
Copy link
Copy Markdown
Contributor

ifranzki commented May 6, 2026

It seems that one can specify any garbage as hex UV ID, that garbage is passed right away to the URI. OK, garbage in -> garbage out.... But couldn't you validate that string that it is a valid hex string and if the correct size?

I usually copy & paste the hex ID from 'pvsecret list' and it has 0x in front. zpckey accepts it, but later on when the URI is used it fails. So as best allow it to be prefixed with 0x and strip it off. Also check for other non-hex chars and the ID length to be 32 bytes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ifranzki ifranzki ifranzki left review comments

@finn-callies finn-callies Awaiting requested review from finn-callies

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@holger-dengler @ifranzki