zpcprovider and tooling by holger-dengler · Pull Request #45 · opencryptoki/libzpc

holger-dengler · 2026-06-08T13:54:20Z

This PR is the successor of #41 and #43. It also contains a lot of cleanups and rework for the shift to the new provider API.

The new zpc_ec_key_compare() function compares two key objects. In general, if both keys has the same public key, they can be assumed to be identical. Only if one of the two keys (or both) has not set a public key, also the protected key blobs needs to be compared. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The libzpc API is no longer exposed as shared object, so make the constructor and destructor explicit. It is now up to the consumer to call them. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Call the global zpc constructor/destructor once for all tests by exploiting the gtest environment API. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Update travis configuration to noble and add install the new package dependencies (e.g. OpenSSL). While at it, also remove deprecated statements and remove environment variable settings. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The gtest release 1.11.0 produce build problems because of outdated versions. Updating to version v1.12.1 fixes the problems. While at it, migrate from archive-download to git checkout. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The libzpc API is no longer exposed as static or shared library. The object module is only available for internal purpose. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

As the libzpc API is no longer externally available, also the extensive testing (gtest/wycheproof) has to be made internal. Introduce a new build option BUILD_INTERNAL_TEST. Enabling this new option will build the extensive tests. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Adjust indention, no functional change. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The new target converts markdown man-pages to troff format. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The zpc functionality will be exposed via the OpenSSL API. Query the required OpenSSL package during build. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Introduce the build option BUILD_ASAN to enable the address sanitizer in the compile options. Executable or shared library targets has to enable the address sanitizer in the link options as well. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The provider is the base to plug-in further implementation like key-management, ciphers and so on. It has no functionality itself. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add a module build target for the zpcprovider. Other than shared objects, the provider module has no so-name and also no API versioning. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The provider-specific key object structure is shared between the provider components and references to the internal zpc-key structure(s). Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

A hbkzpc-URI references a hardware-backed key origin. The parser destructs the URI into key-value pairs. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add internal object build target for uri. The internal object can be shared between targets. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The mapping helpers provide mappings between e.g. algorithm strings and algorithm-related values. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Introduce a store-loader for hbkzpc-URI based keys. The store-loader creates a provider-specific key object and adds relevant information from the URI. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Introduce a asymmetric key management to map the provider-specific key object to a intern zpc-key. Not supported: - key generation - key import Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add helpers to generate DER-encoded algorithm-ids based on key and digest information. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add signature algorithms for sign/verify with ECDSA and EDDSA keys. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add the supported TLS properties for the zpcprovider. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The ASN.1 module provides DER en-/decoding for hbkzpc-URIs. These functions are required for the decoder/encoder support. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add internal object build target for ASN.1 module. The internal object can be shared between targets. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Add decoders for PEM and DER to support hbkzpc-URI files. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

To use the zpc functionality via the OpenSSL API, the zpcprovider has to be defined in the OpenSSL configuration. The build configures the template and creates a `openssl.cnf` file, which can be used for test purposes. The configuration file will be created in the build output folder. The build also configures a second template and creates a configuration drop-in file `zpcprovider.cnf`. This file can be included in existing OpenSSL configuration files. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The scripts set breakpoints for to all zpcprovider functions, which are called by the OpenSSL provider API (dispatch functions). Each zpcprovider component has its own gdb-script. Sourcing multiple scripts is possible. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The tool `zpckey` is a key management tool for the zpcprovider. It supports the composition of key-origins (compose) and prints information about existing zpcprovider keys (show). The tool supports key encoding as hbkzpc-URI, DER or PEM. Currently, only keys of origin type `uv` are supported. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

As PEM/DER key files are supported now, exclude them from version control by default. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The test script iterates over a list of algorithms and generates the required key files for further tests. It covers test-cases for the tool `zpckey`. The test-case depends on one clear-key for each algorithm. These clear-keys must also exist as related UV retrievable secret. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The test script iterated over a list of algorithms and query parameters of the key for each algorithm. The test depends on the keys files, which are created by the `t_ossl_prepkey` test-case. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The test script iterates over a list of algorithm and performs the following tests for each algorithm: - sign with zpc-key, verify with zpc-key - sign with zpc-key, verify with clear-key (priv, pub) - sign with clear-key, verify with zpc-key The test depends on the keys files, which are created by the `t_ossl_prepkey` test-case. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The introduction of platform-independent targets allows to build parts of the project for non-s390x platforms. This is required at least for the tool `zpckey`. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The tool pkeycmp takes two provider key files (PEM or DER) and compares them. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

As the project supports building on non-s390x platforms, enable the multi-arch build in travis. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

- Migrate README to provider API - Remove all parts, which are not yet supported by the provider - Flag the gtest/wycheproof tests as "internal" Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

The project now also allows builds for non-s390x platforms. Rework the spec-file accordingly and split the build results into separate packages. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

ifranzki

Looks very good now.

holger-dengler added 30 commits June 8, 2026 15:38

zpc: init: Introduce explicit constructor/destructor

003c63c

The libzpc API is no longer exposed as shared object, so make the constructor and destructor explicit. It is now up to the consumer to call them. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

test: Add explicit setup/teardown handling

4f8cc0b

Call the global zpc constructor/destructor once for all tests by exploiting the gtest environment API. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

travis: Add OpenSSL custom build

657f153

Update travis configuration to noble and add install the new package dependencies (e.g. OpenSSL). While at it, also remove deprecated statements and remove environment variable settings. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Fix broken gtest

3df6744

The gtest release 1.11.0 produce build problems because of outdated versions. Updating to version v1.12.1 fixes the problems. While at it, migrate from archive-download to git checkout. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Convert zpc target to object module

3208576

The libzpc API is no longer exposed as static or shared library. The object module is only available for internal purpose. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Harmonize indent

c08a249

Adjust indention, no functional change. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Add man-page conversion target

84e5d4e

The new target converts markdown man-pages to troff format. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Add OpenSSL package

56288cd

The zpc functionality will be exposed via the OpenSSL API. Query the required OpenSSL package during build. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add base provider

fe61638

The provider is the base to plug-in further implementation like key-management, ciphers and so on. It has no functionality itself. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Add zpcprovider build target

456e934

Add a module build target for the zpcprovider. Other than shared objects, the provider module has no so-name and also no API versioning. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add provider-specific key object

a651c34

The provider-specific key object structure is shared between the provider components and references to the internal zpc-key structure(s). Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate provider-specific key object

1c26693

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add hbkzpc-URI parser

9ec43c9

A hbkzpc-URI references a hardware-backed key origin. The parser destructs the URI into key-value pairs. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Add uri build target

e34d470

Add internal object build target for uri. The internal object can be shared between targets. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add mapping helpers

46a7205

The mapping helpers provide mappings between e.g. algorithm strings and algorithm-related values. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate mapping helpers

259ef15

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add store-loader

5c03a2b

Introduce a store-loader for hbkzpc-URI based keys. The store-loader creates a provider-specific key object and adds relevant information from the URI. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate store-loader

a029708

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add asymmetric key management

b2c542f

Introduce a asymmetric key management to map the provider-specific key object to a intern zpc-key. Not supported: - key generation - key import Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate asymmetric key management

8247a34

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add algorithm-id helpers

b0ccea7

Add helpers to generate DER-encoded algorithm-ids based on key and digest information. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate algorithm-id helpers

2808df9

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add signature algorithms

af5b20b

Add signature algorithms for sign/verify with ECDSA and EDDSA keys. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate signature algorithms

b107c81

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add tls-property helpers

faa7a20

Add the supported TLS properties for the zpcprovider. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate tls-property helpers

8b22814

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

asn1: Add ASN.1 module (definition and functions)

fcfb9c3

The ASN.1 module provides DER en-/decoding for hbkzpc-URIs. These functions are required for the decoder/encoder support. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

holger-dengler added 18 commits June 8, 2026 15:39

cmake: Add ASN.1 build target

c56718c

Add internal object build target for ASN.1 module. The internal object can be shared between targets. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

provider: Add decoders for hbkzpc-URI

90462f5

Add decoders for PEM and DER to support hbkzpc-URI files. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate decoder implementation

9f35536

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

uri: Add URI compose function

104c4e8

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate zpckey

a3347bf

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

gitignore: Ignore PEM/DER key files

133a128

As PEM/DER key files are supported now, exclude them from version control by default. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

test: Add tests for key parameters

a3fb2a1

The test script iterated over a list of algorithms and query parameters of the key for each algorithm. The test depends on the keys files, which are created by the `t_ossl_prepkey` test-case. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Introduce platform-independent targets

e0fc729

The introduction of platform-independent targets allows to build parts of the project for non-s390x platforms. This is required at least for the tool `zpckey`. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

test: Add test tool to compare provider EVP_PKEY objects

2d01362

The tool pkeycmp takes two provider key files (PEM or DER) and compares them. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

cmake: Integrate test tool pkeycmp

9aeca58

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

travis: Enable multi-arch travis build

d7bc071

As the project supports building on non-s390x platforms, enable the multi-arch build in travis. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

README: Introduce provider API

fb6aa5e

- Migrate README to provider API - Remove all parts, which are not yet supported by the provider - Flag the gtest/wycheproof tests as "internal" Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

spec: Rework RPM spec file

b9eeb39

The project now also allows builds for non-s390x platforms. Rework the spec-file accordingly and split the build results into separate packages. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

holger-dengler requested a review from ifranzki June 8, 2026 13:54

This was referenced Jun 8, 2026

zpcprovider for sign/verify (ecdsa/eddsa) #41

Closed

new tool zpckey for UV key origins #43

Closed

ifranzki approved these changes Jun 9, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

zpcprovider and tooling#45

zpcprovider and tooling#45
holger-dengler wants to merge 48 commits into
opencryptoki:mainfrom
holger-dengler:provider

holger-dengler commented Jun 8, 2026

Uh oh!

ifranzki left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

holger-dengler commented Jun 8, 2026

Uh oh!

ifranzki left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants