WiP TPM storage tests

LinuxJedi · LinuxJedi · commit cfd433ce34a1 · 2025-06-27T15:40:53.000+01:00
diff --git a/.github/workflows/storage-upgrade-test-tpm.yml b/.github/workflows/storage-upgrade-test-tpm.yml
@@ -0,0 +1,204 @@
+name: wolfPKCS11 Storage Format Upgrade Test (TPM)
+
+on:
+  pull_request:
+    branches: [ '*' ]
+
+env:
+  WOLFSSL_VERSION: v5.8.0-stable
+
+jobs:
+  storage-upgrade-test-tpm:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        base-ref:
+          - name: master
+            ref: master
+            branch-dir: master-branch
+          - name: v1.3.0
+            ref: v1.3.0-stable
+            branch-dir: v1.3.0-stable-branch
+
+    steps:
+    # Checkout the PR branch
+    - name: Checkout PR branch
+      uses: actions/checkout@v4
+      with:
+        path: pr-branch
+
+    # Checkout base branch/tag separately
+    - name: Checkout ${{ matrix.base-ref.name }} branch
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ matrix.base-ref.ref }}
+        path: ${{ matrix.base-ref.branch-dir }}
+
+    - name: Cache wolfSSL
+      id: cache-wolfssl
+      uses: actions/cache@v4
+      with:
+        path: wolfssl
+        key: wolfssl-${{ env.WOLFSSL_VERSION }}
+
+    # Setup wolfssl (required dependency)
+    - name: Checkout wolfssl
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+        ref: ${{ env.WOLFSSL_VERSION }}
+
+    - name: Build wolfssl
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+      working-directory: ./wolfssl
+      run: |
+        ./autogen.sh
+        ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
+            C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
+        make
+
+    - name: Install wolfssl
+      working-directory: ./wolfssl
+      run: |
+        sudo make install
+        sudo ldconfig
+
+    # Setup IBM Software TPM simulator
+    - name: Setup IBM Software TPM
+      run: |
+        git clone https://github.com/kgoldman/ibmswtpm2.git
+        cd ibmswtpm2/src
+        make
+        ./tpm_server &
+        sleep 2
+        cd ../..
+
+    # Build and install wolfTPM (required for TPM operations)
+    - name: Build and install wolfTPM
+      run: |
+        git clone https://github.com/wolfSSL/wolftpm.git
+        cd wolftpm
+        ./autogen.sh
+        ./configure --enable-swtpm --enable-debug
+        make -j$(nproc)
+        sudo make install
+        sudo ldconfig
+        cd ..
+
+    # Phase 1: Build and test base branch/tag with TPM
+    - name: Build wolfPKCS11 ${{ matrix.base-ref.name }} with TPM
+      working-directory: ./${{ matrix.base-ref.branch-dir }}
+      run: |
+        echo "=== Building wolfPKCS11 ${{ matrix.base-ref.name }} branch with TPM support ==="
+        ./autogen.sh
+        ./configure --enable-singlethreaded --enable-wolftpm --disable-dh C_EXTRA_FLAGS="-DWOLFPKCS11_TPM_STORE"
+        make
+
+    - name: Run TPM tests on ${{ matrix.base-ref.name }} to generate storage files
+      working-directory: ./${{ matrix.base-ref.branch-dir }}
+      run: |
+        echo "=== Running TPM tests on ${{ matrix.base-ref.name }} branch ==="
+        # Run specific TPM tests that generate storage files
+        ./tests/pkcs11test
+        echo "=== ${{ matrix.base-ref.name }} branch TPM test completed ==="
+
+    # Phase 2: Build PR branch with TPM and copy storage files from base
+    - name: Build wolfPKCS11 PR branch with TPM
+      working-directory: ./pr-branch
+      run: |
+        echo "=== Building wolfPKCS11 PR branch with TPM support ==="
+        ./autogen.sh
+        ./configure --enable-singlethreaded --enable-wolftpm --disable-dh C_EXTRA_FLAGS="-DWOLFPKCS11_TPM_STORE"
+        make
+
+    - name: Copy TPM storage files from ${{ matrix.base-ref.name }} to PR
+      run: |
+        echo "=== Copying TPM storage files from ${{ matrix.base-ref.name }} to PR branch ==="
+
+        # Create directories if they don't exist
+        mkdir -p pr-branch/tests
+        mkdir -p pr-branch/store
+        mkdir -p pr-branch/test_token_storage
+
+        # Copy test storage files (TPM-specific patterns)
+        if [ -d "${{ matrix.base-ref.branch-dir }}/tests" ]; then
+          cp -v ${{ matrix.base-ref.branch-dir }}/tests/wp* pr-branch/tests/ 2>/dev/null || echo "No wp* files in ${{ matrix.base-ref.branch-dir }}/tests/"
+          cp -v ${{ matrix.base-ref.branch-dir }}/tests/tpm* pr-branch/tests/ 2>/dev/null || echo "No tpm* files in ${{ matrix.base-ref.branch-dir }}/tests/"
+        fi
+
+        # Copy store files (including TPM NV storage references)
+        if [ -d "${{ matrix.base-ref.branch-dir }}/store" ]; then
+          cp -v ${{ matrix.base-ref.branch-dir }}/store/wp* pr-branch/store/ 2>/dev/null || echo "No wp* files in ${{ matrix.base-ref.branch-dir }}/store/"
+          cp -v ${{ matrix.base-ref.branch-dir }}/store/tpm* pr-branch/store/ 2>/dev/null || echo "No tpm* files in ${{ matrix.base-ref.branch-dir }}/store/"
+        fi
+
+        # Copy token storage files if they exist
+        if [ -d "${{ matrix.base-ref.branch-dir }}/test_token_storage" ]; then
+          cp -rv ${{ matrix.base-ref.branch-dir }}/test_token_storage/* pr-branch/test_token_storage/ 2>/dev/null || echo "No files in ${{ matrix.base-ref.branch-dir }}/test_token_storage/"
+        fi
+
+        echo "=== TPM storage file copy completed ==="
+
+    - name: Test TPM storage format compatibility (${{ matrix.base-ref.name }} → PR)
+      working-directory: ./pr-branch
+      run: |
+        echo "=== Testing TPM storage format compatibility with PR branch ==="
+        echo "This tests that the PR can read TPM storage files created by ${{ matrix.base-ref.name }} branch"
+
+        # List the copied files for verification
+        echo "Files in tests directory:"
+        ls -la tests/wp* tests/tpm* 2>/dev/null || echo "No wp*/tpm* files in tests/"
+        echo "Files in store directory:"
+        ls -la store/wp* store/tpm* 2>/dev/null || echo "No wp*/tpm* files in store/"
+        echo "Files in test_token_storage directory:"
+        ls -la test_token_storage/ 2>/dev/null || echo "No files in test_token_storage/"
+
+        # Check TPM status before running tests
+        echo "=== Checking TPM simulator status ==="
+        ps aux | grep tpm_server || echo "TPM server may not be running"
+
+        # Run the TPM-specific tests with the copied storage files
+        echo "=== Running TPM compatibility tests ==="
+        ./tests/pkcs11test
+        ./tests/object_id_uniqueness_test
+        echo "=== TPM storage format upgrade test (${{ matrix.base-ref.name }} → PR) completed successfully ==="
+
+    # Upload artifacts for debugging if needed
+    - name: Upload TPM storage test artifacts
+      if: failure()
+      uses: actions/upload-artifact@v4
+      with:
+        name: tpm-storage-upgrade-test-artifacts-${{ matrix.base-ref.name }}
+        path: |
+          pr-branch/test-suite.log
+          pr-branch/config.log
+          ${{ matrix.base-ref.branch-dir }}/store/wp*
+          ${{ matrix.base-ref.branch-dir }}/store/tpm*
+          ${{ matrix.base-ref.branch-dir }}/tests/wp*
+          ${{ matrix.base-ref.branch-dir }}/tests/tpm*
+          ${{ matrix.base-ref.branch-dir }}/test_token_storage/
+          ${{ matrix.base-ref.branch-dir }}/test-suite.log
+          ${{ matrix.base-ref.branch-dir }}/config.log
+        retention-days: 5
+
+    # Capture logs on failure with TPM-specific information
+    - name: Upload TPM failure logs
+      if: failure() || cancelled()
+      uses: actions/upload-artifact@v4
+      with:
+        name: tpm-storage-upgrade-test-failure-logs-${{ matrix.base-ref.name }}
+        path: |
+          pr-branch/test-suite.log
+          pr-branch/config.log
+          ${{ matrix.base-ref.branch-dir }}/test-suite.log
+          ${{ matrix.base-ref.branch-dir }}/config.log
+        retention-days: 5
+
+    # Clean up TPM simulator on exit
+    - name: Cleanup TPM simulator
+      if: always()
+      run: |
+        echo "=== Cleaning up TPM simulator ==="
+        pkill -f tpm_server || echo "TPM server was not running"
diff --git a/src/internal.c b/src/internal.c
@@ -4159,7 +4159,7 @@ static int wp11_Token_Load(WP11_Slot* slot, int tokenId, WP11_Token* token)
         }
 
         /* If there is no pin, there is no login, so decode now */
-        if (WP11_Slot_Has_Empty_Pin(slot)) {
+        if (WP11_Slot_Has_Empty_Pin(slot) && (ret == 0)) {
 #ifndef WOLFPKCS11_NO_STORE
             object = token->object;
             while (ret == 0 && object != NULL) {

Original file line number	Diff line number	Diff line change
`@@ -4159,7 +4159,7 @@ static int wp11_Token_Load(WP11_Slot* slot, int tokenId, WP11_Token* token)`
`4159`	`4159`	`}`
`4160`	`4160`
`4161`	`4161`	`/* If there is no pin, there is no login, so decode now */`
`4162`		`- if (WP11_Slot_Has_Empty_Pin(slot)) {`
	`4162`	`+ if (WP11_Slot_Has_Empty_Pin(slot) && (ret == 0)) {`
`4163`	`4163`	`#ifndef WOLFPKCS11_NO_STORE`
`4164`	`4164`	`object = token->object;`
`4165`	`4165`	`while (ret == 0 && object != NULL) {`