zpcprovider for sign/verify (ecdsa/eddsa)#41
Conversation
|
Are you looking at the Travis build failures? You might need to build OpenSSL from source to have a 3.5.0 version to build against. |
|
Yes, a fix for the travis is in progress. It looks like travis only provides 3.0 out of the box. So I'll build my own. At least 3.5, better 4.0. |
holger-dengler
force-pushed
the
provider-sign
branch
2 times, most recently
from
7c72889 to
1659e06
Compare
|
The update contains:
|
holger-dengler
force-pushed
the
provider-sign
branch
from
9258c6f to
6d1b3d8
Compare
|
Another update (force push) to remove the merge conflicts and add a fix for travis. |
|
I would suggest to also add tests that utilize the openssl application to use protected key origins. For example, creating/signing a certificate with a protected key origin specified via URI or PEM using |
I plan to rework the test. |
|
I would move the provider sources into a subdirectory, e.g. |
|
I would postpone the source code restructuring until the provider transition is done (symmetric cipher, secure-key origins etc). There will be eventually also some removal of no longer used code. |
holger-dengler
force-pushed
the
provider-sign
branch
from
6d1b3d8 to
690f619
Compare
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Introduce a store-loader for hbkzpc-URI based keys. The store-loader creates a provider-specific key object and adds relevant information from the URI. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Introduce a asymmetric key management to map the provider-specific key object to a intern zpc-key. Not supported: - key generation - key import Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add helpers to generate DER-encoded algorithm-ids based on key and digest information. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add signature algorithms for sign/verify with ECDSA and EDDSA keys. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add the supported TLS properties for the zpcprovider. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The ASN.1 module provides DER en-/decoding for hbkzpc-URIs. These functions are required for the decoder/encoder support. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add internal object build target for ASN.1 module. The internal object can be shared between targets. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add decoders for PEM and DER to support hbkzpc-URI files. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
To use the zpc functionality via the OpenSSL API, the zpcprovider has to be defined in the OpenSSL configuration. The build configures the template and creates a `openssl.cnf` file, which can be used for test purposes. The configuration file will be created in the build output folder. The build also configures a second template and creates a configuration drop-in file `zpcprovider.cnf`. This file can be included in existing OpenSSL configuration files. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The scripts set breakpoints for to all zpcprovider functions, which are called by the OpenSSL provider API (dispatch functions). Each zpcprovider component has its own gdb-script. Sourcing multiple scripts is possible. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
holger-dengler
force-pushed
the
provider-sign
branch
from
d281dfe to
befe371
Compare
|
The current PR version contains a lot of fixes. The tests with the hard-coded keys (t_provider) has been removed completely. For testing purposes, I would suggest to checkout PR #43, as it provides test scripts which uses openssl cli to trigger the zpcprovider. Further improvements:
|
| - cmake -DBUILD_TEST=ON .. 2> >(tee) | ||
| - make 2> >(tee) | ||
| - cmake -B build -S . -DCMAKE_INCLUDE_PATH=${OPENSSL_DIR} -DCMAKE_LIBRARY_PATH=${OPENSSL_DIR} 2> >(tee) | ||
| - cmake --build build --target zpc 2> >(tee) |
There was a problem hiding this comment.
Would it be possible to also run some tests here? Probably not .....
There was a problem hiding this comment.
All current tests require at least some existing key files. Provider tests in addition require a sel-setup. I would like to postpone futher testing to upcoming releases.
| { | ||
| struct obj *obj = (struct obj *)keydata; | ||
|
|
||
| zpc_ec_key_free(&obj->ec_key); |
There was a problem hiding this comment.
This is a double-free, as the obj_free() also frees the ec_key member. Will fix it in the next version.
2 participants
This PR requires PR #40.
This PR adds OpenSSL provider support for libzpc. This first version covers the main functionality for store, keymgmt, sign/verify and decoder support.
As the series add a lot of new code, it is split into many commits to make the review (hopefully) a bit easier.
ToDo:
Restriction:
tprovider.c.