zpcprovider for sign/verify (ecdsa/eddsa)

[holger-dengler]

This PR requires PR #40.

This PR adds OpenSSL provider support for libzpc. This first version covers the main functionality for store, keymgmt, sign/verify and decoder support.

As the series add a lot of new code, it is split into many commits to make the review (hopefully) a bit easier.

ToDo:

• public key support for store/decoder
• alloc/free needs some debugging

Restriction:

• the tests uses hard-coded public keys, so running tests on other machines require code changes in tprovider.c.
• the provider only supports uv origins, so testing is limited to SEL environments.

[ifranzki]

Are you looking at the Travis build failures? You might need to build OpenSSL from source to have a 3.5.0 version to build against.

[holger-dengler]

Yes, a fix for the travis is in progress. It looks like travis only provides 3.0 out of the box. So I'll build my own. At least 3.5, better 4.0.

[holger-dengler]

The update contains:

• re-order of the commits (move test to the end of the series)
• rework of signature/eddsa
• pick review comments
• minor fixes

[holger-dengler]

Another update (force push) to remove the merge conflicts and add a fix for travis.

[ifranzki]

I would suggest to also add tests that utilize the openssl application to use protected key origins. For example, creating/signing a certificate with a protected key origin specified via URI or PEM using openssl x509 -in cert.csr -out cert.pem -req -signkey <protected key origin> -days 1001.

[holger-dengler]

I would suggest to also add tests that utilize the openssl application to use protected key origins. For example, creating/signing a certificate with a protected key origin specified via URI or PEM using openssl x509 -in cert.csr -out cert.pem -req -signkey <protected key origin> -days 1001.

I plan to rework the test. tprovider will be renamed (t_provider) and changed to do only the lookup for the provider components. All key-related functional test will be moved to a new t_openssl test script, which uses openssl to create keys and call the functions. such a split is required to run the tests in a CI.

[ifranzki]

I would move the provider sources into a subdirectory, e.g. src/provider/. Maybe even move the library sources into a subdirectory e.g. src/lib/.

[holger-dengler]

I would postpone the source code restructuring until the provider transition is done (symmetric cipher, secure-key origins etc). There will be eventually also some removal of no longer used code.

[holger-dengler]

I'll check the asan-build option.

[holger-dengler]

New PR version with

• integrated feedback
• ASAN build option

[ifranzki]

Build failures in Travis:

/home/travis/build/opencryptoki/libzpc/src/signature.c:430:38: warning: implicit declaration of function ‘EVP_MD_CTX_dup’; did you mean ‘EVP_MAC_CTX_dup’? [-Wimplicit-function-declaration]
  430 |             !(sctx_dst->fwd_md_ctx = EVP_MD_CTX_dup(sctx_src->fwd_md_ctx)))
      |                                      ^~~~~~~~~~~~~~
      |                                      EVP_MAC_CTX_dup
/home/travis/build/opencryptoki/libzpc/src/signature.c:430:36: warning: assignment to ‘EVP_MD_CTX *’ {aka ‘struct evp_md_ctx_st *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
  430 |             !(sctx_dst->fwd_md_ctx = EVP_MD_CTX_dup(sctx_src->fwd_md_ctx)))
      |                                    ^
In file included from /usr/include/openssl/ec.h:103,
                 from /usr/include/openssl/ecdsa.h:10,
                 from /home/travis/build/opencryptoki/libzpc/src/signature.c:6:
/home/travis/build/opencryptoki/libzpc/src/signature.c: In function ‘eddsa_gettable_ctx_params’:
/home/travis/build/opencryptoki/libzpc/src/signature.c:685:40: error: ‘OSSL_SIGNATURE_PARAM_INSTANCE’ undeclared (first use in this function); did you mean ‘OSSL_SIGNATURE_PARAM_KAT’?
  685 |                 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0),
      |                                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/travis/build/opencryptoki/libzpc/src/signature.c:685:40: note: each undeclared identifier is reported only once for each function it appears in
/home/travis/build/opencryptoki/libzpc/src/signature.c:686:41: error: ‘OSSL_SIGNATURE_PARAM_CONTEXT_STRING’ undeclared (first use in this function); did you mean ‘OSSL_SIGNATURE_PARAM_DIGEST_SIZE’?
  686 |                 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
      |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/travis/build/opencryptoki/libzpc/src/signature.c: In function ‘eddsa_get_ctx_params’:
/home/travis/build/opencryptoki/libzpc/src/signature.c:706:39: error: ‘OSSL_SIGNATURE_PARAM_INSTANCE’ undeclared (first use in this function); did you mean ‘OSSL_SIGNATURE_PARAM_KAT’?
  706 |         p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_INSTANCE);
      |                                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                       OSSL_SIGNATURE_PARAM_KAT
/home/travis/build/opencryptoki/libzpc/src/signature.c:712:39: error: ‘OSSL_SIGNATURE_PARAM_CONTEXT_STRING’ undeclared (first use in this function); did you mean ‘OSSL_SIGNATURE_PARAM_DIGEST_SIZE’?
  712 |         p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_CONTEXT_STRING);
      |                                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                       OSSL_SIGNATURE_PARAM_DIGEST_SIZE
/home/travis/build/opencryptoki/libzpc/src/signature.c: In function ‘eddsa_settable_ctx_params’:
/home/travis/build/opencryptoki/libzpc/src/signature.c:725:40: error: ‘OSSL_SIGNATURE_PARAM_INSTANCE’ undeclared (first use in this function); did you mean ‘OSSL_SIGNATURE_PARAM_KAT’?
  725 |                 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0),
      |                                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/travis/build/opencryptoki/libzpc/src/signature.c:726:41: error: ‘OSSL_SIGNATURE_PARAM_CONTEXT_STRING’ undeclared (first use in this function); did you mean ‘OSSL_SIGNATURE_PARAM_DIGEST_SIZE’?
  726 |                 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
      |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/travis/build/opencryptoki/libzpc/src/signature.c: In function ‘eddsa_set_ctx_params’:
/home/travis/build/opencryptoki/libzpc/src/signature.c:740:45: error: ‘OSSL_SIGNATURE_PARAM_INSTANCE’ undeclared (first use in this function); did you mean ‘OSSL_SIGNATURE_PARAM_KAT’?
  740 |         p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_INSTANCE);
      |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                             OSSL_SIGNATURE_PARAM_KAT
/home/travis/build/opencryptoki/libzpc/src/signature.c:749:45: error: ‘OSSL_SIGNATURE_PARAM_CONTEXT_STRING’ undeclared (first use in this function); did you mean ‘OSSL_SIGNATURE_PARAM_DIGEST_SIZE’?
  749 |         p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_CONTEXT_STRING);
      |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                             OSSL_SIGNATURE_PARAM_DIGEST_SIZE
gmake[2]: *** [CMakeFiles/zpcprovider.dir/build.make:160: CMakeFiles/zpcprovider.dir/src/signature.c.o] Error 1
gmake[1]: *** [CMakeFiles/Makefile2:198: CMakeFiles/zpcprovider.dir/all] Error 2
gmake: *** [Makefile:136: all] Error 2

[ifranzki]

/home/travis/build/opencryptoki/libzpc/src/signature.c:430:38: warning: implicit declaration of function ‘EVP_MD_CTX_dup’; did you mean ‘EVP_MAC_CTX_dup’? [-Wimplicit-function-declaration]
  430 |             !(sctx_dst->fwd_md_ctx = EVP_MD_CTX_dup(sctx_src->fwd_md_ctx)))

The EVP_MD_CTX_dup() function was added in OpenSSL 3.1.

But you can do something like

EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
{
    EVP_MD_CTX *out = EVP_MD_CTX_new();

    if (out != NULL && !EVP_MD_CTX_copy_ex(out, in)) {
        EVP_MD_CTX_free(out);
        out = NULL;
    }
    return out;
}