new tool zpckey for UV key origins#43
Open
holger-dengler wants to merge 39 commits into
Open
Conversation
Contributor
|
I would move the zpckey sources into a subdirectory, e.g. src/zpckey/. |
ifranzki
reviewed
May 6, 2026
Contributor
|
It seems that one can specify any garbage as hex UV ID, that garbage is passed right away to the URI. OK, garbage in -> garbage out.... But couldn't you validate that string that it is a valid hex string and if the correct size? I usually copy & paste the hex ID from 'pvsecret list' and it has 0x in front. zpckey accepts it, but later on when the URI is used it fails. So as best allow it to be prefixed with 0x and strip it off. Also check for other non-hex chars and the ID length to be 32 bytes. |
Contributor
Author
|
The new PR version adds some checks for the uv-secret-id. the ID must be a valid hexstring and the converted size must be 32 bytes. |
The new dependency to OpenSSL requires a custom built OpenSSL, as long it is available as distribution package. This workaround can be removed, if OpenSSL v3.5 or later is available as distribution package. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The gtest release 1.11.0 produce build problems because of outdated versions. Updating to version v1.12.1 fixes the problems. While at it, migrate from archive-download to git checkout. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The libzpc API is no longer exposed as static or shared library. The object module is only available for internal purpose. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
As the libzpc API is no longer externally available, also the extensive testing (gtest/wycheproof) has to be made internal. Introduce a new build option BUILD_INTERNAL_TEST. Enabling this new option will build the extensive tests. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Adjust indention, no functional change. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The new target converts markdown man-pages to troff format. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The zpc functionality will be exposed via the OpenSSL API. Query the required OpenSSL package during build. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The provider is the base to plug-in further implementation like key-management, ciphers and so on. It has no functionality itself. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add a module build target for the zpcprovider. Other than shared objects, the provider module has no so-name and also no API versioning. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The provider-specific key object structure is shared between the provider components and references to the internal zpc-key structure(s). Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
A hbkzpc-URI references a hardware-backed key origin. The parser destructs the URI into key-value pairs. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add internal object build target for uri. The internal object can be shared between targets. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The mapping helpers provide mappings between e.g. algorithm strings and algorithm-related values. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Introduce a store-loader for hbkzpc-URI based keys. The store-loader creates a provider-specific key object and adds relevant information from the URI. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Introduce a asymmetric key management to map the provider-specific key object to a intern zpc-key. Not supported: - key generation - key import Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add helpers to generate DER-encoded algorithm-ids based on key and digest information. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add signature algorithms for sign/verify with ECDSA and EDDSA keys. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add the supported TLS properties for the zpcprovider. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The ASN.1 module provides DER en-/decoding for hbkzpc-URIs. These functions are required for the decoder/encoder support. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add internal object build target for ASN.1 module. The internal object can be shared between targets. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Add decoders for PEM and DER to support hbkzpc-URI files. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
To use the zpc functionality via the OpenSSL API, the zpcprovider has to be defined in the OpenSSL configuration. The build configures the template and creates a `openssl.cnf` file, which can be used for test purposes. The configuration file will be created in the build output folder. The build also configures a second template and creates a configuration drop-in file `zpcprovider.cnf`. This file can be included in existing OpenSSL configuration files. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The scripts set breakpoints for to all zpcprovider functions, which are called by the OpenSSL provider API (dispatch functions). Each zpcprovider component has its own gdb-script. Sourcing multiple scripts is possible. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The tool `zpckey` is a key management tool for the zpcprovider. It supports the composition of key-origins (compose) and prints information about existing zpcprovider keys (show). The tool supports key encoding as hbkzpc-URI, DER or PEM. Currently, only keys of origin type `uv` are supported. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
As PEM/DER key files are supported now, exclude them from the version control by default. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The test script iterates over a list of algorithms and generates the required key files for further tests. It covers test-cases for the tool `zpckey`. The test-case depends on one clear-key for each algorithm. These clear-keys must also exist as related UV retrievable secret. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The test script iterated over a list of algorithms and query parameters of the key for each algorithm. The test depends on the keys files, which are created by the `t_ossl_prepkey` test-case. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The test script iterates over a list of algorithm and performing the following tests for each algorithm: - sign with zpc-key, verify with zpc-key - sign with zpc-key, verify with clear-key (priv, pub) - sign with clear-key, verify with zpc-key The test depends on the keys files, which are created by the `t_ossl_prepkey` test-case. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
The introduction of platform-independent targets allows to build parts of the project for non-s390x platforms. This is required at least for the tool `zpckey`. Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Contributor
Author
|
The current PR version includes all review comments and is based on the current provider PR (#41). It contains now also test scripts, which generate all required provider keys as well as public-keys of the clear-key secrets. The tests has been prepared for running in the CI, so there must exist one clear-key secret for each algorithm, as well as the matching UV retrievable secret. CI-setup scripts normally create these requirements, so it is not duplicated in the project`s test-scripts. The build file now also supports builds for non-s390 target. The content of such builds is reduced and covers only the zpckey tool. This feature will be used later for the rpm-packaging, as the zpckey tool should also be available on non-s390x platforms. Reviewers should focus on the last 8 commits in the PR, as the other ones are already covered by the review of #41. |
ifranzki
reviewed
May 18, 2026
| -p, \--pubkey <FILE> | ||
| : Public Key file | ||
|
|
||
| -o, \--out <PATH> |
Contributor
There was a problem hiding this comment.
Maybe mention that --out is ignored for outform URI ?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a new tool for managing the key origins for the zpcprovider. It covers key origins for UV retrievable secrets.
The PR is based on #41 , so only the last 3 commits are relevant for the review. This PR should not be merged before the other one.