WiP TPM storage tests

.github/workflows/storage-upgrade-test-tpm.yml

@@ -0,0 +1,204 @@
+name: wolfPKCS11 Storage Format Upgrade Test (TPM)
+
+on:
+  pull_request:
+    branches: [ '*' ]
+
+env:
+  WOLFSSL_VERSION: v5.8.0-stable
+
+jobs:
+  storage-upgrade-test-tpm:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        base-ref:
+          - name: master
+            ref: master
+            branch-dir: master-branch
+          - name: v1.3.0
+            ref: v1.3.0-stable
+            branch-dir: v1.3.0-stable-branch
+
+    steps:
+    # Checkout the PR branch
+    - name: Checkout PR branch
+      uses: actions/checkout@v4
+      with:
+        path: pr-branch
+
+    # Checkout base branch/tag separately
+    - name: Checkout ${{ matrix.base-ref.name }} branch
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ matrix.base-ref.ref }}
+        path: ${{ matrix.base-ref.branch-dir }}
+
+    - name: Cache wolfSSL
+      id: cache-wolfssl
+      uses: actions/cache@v4
+      with:
+        path: wolfssl
+        key: wolfssl-${{ env.WOLFSSL_VERSION }}
+
+    # Setup wolfssl (required dependency)
+    - name: Checkout wolfssl
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+        ref: ${{ env.WOLFSSL_VERSION }}
+
+    - name: Build wolfssl
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+      working-directory: ./wolfssl
+      run: |
+        ./autogen.sh
+        ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
+            C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
+        make
+
+    - name: Install wolfssl
+      working-directory: ./wolfssl
+      run: |
+        sudo make install
+        sudo ldconfig
+
+    # Setup IBM Software TPM simulator
+    - name: Setup IBM Software TPM
+      run: |
+        git clone https://github.com/kgoldman/ibmswtpm2.git
+        cd ibmswtpm2/src
+        make
+        ./tpm_server &
+        sleep 2
+        cd ../..
+
+    # Build and install wolfTPM (required for TPM operations)
+    - name: Build and install wolfTPM
+      run: |
+        git clone https://github.com/wolfSSL/wolftpm.git
+        cd wolftpm
+        ./autogen.sh
+        ./configure --enable-swtpm --enable-debug
+        make -j$(nproc)
+        sudo make install
+        sudo ldconfig
+        cd ..
+
+    # Phase 1: Build and test base branch/tag with TPM
+    - name: Build wolfPKCS11 ${{ matrix.base-ref.name }} with TPM
+      working-directory: ./${{ matrix.base-ref.branch-dir }}
+      run: |
+        echo "=== Building wolfPKCS11 ${{ matrix.base-ref.name }} branch with TPM support ==="
+        ./autogen.sh
+        ./configure --enable-singlethreaded --enable-wolftpm --disable-dh C_EXTRA_FLAGS="-DWOLFPKCS11_TPM_STORE"
+        make
+
+    - name: Run TPM tests on ${{ matrix.base-ref.name }} to generate storage files
+      working-directory: ./${{ matrix.base-ref.branch-dir }}
+      run: |
+        echo "=== Running TPM tests on ${{ matrix.base-ref.name }} branch ==="
+        # Run specific TPM tests that generate storage files
+        ./tests/pkcs11test
+        echo "=== ${{ matrix.base-ref.name }} branch TPM test completed ==="
+
+    # Phase 2: Build PR branch with TPM and copy storage files from base
+    - name: Build wolfPKCS11 PR branch with TPM
+      working-directory: ./pr-branch
+      run: |
+        echo "=== Building wolfPKCS11 PR branch with TPM support ==="
+        ./autogen.sh
+        ./configure --enable-singlethreaded --enable-wolftpm --disable-dh C_EXTRA_FLAGS="-DWOLFPKCS11_TPM_STORE"
+        make
+
+    - name: Copy TPM storage files from ${{ matrix.base-ref.name }} to PR
+      run: |
+        echo "=== Copying TPM storage files from ${{ matrix.base-ref.name }} to PR branch ==="
+
+        # Create directories if they don't exist
+        mkdir -p pr-branch/tests
+        mkdir -p pr-branch/store
+        mkdir -p pr-branch/test_token_storage
+
+        # Copy test storage files (TPM-specific patterns)
+        if [ -d "${{ matrix.base-ref.branch-dir }}/tests" ]; then
+          cp -v ${{ matrix.base-ref.branch-dir }}/tests/wp* pr-branch/tests/ 2>/dev/null || echo "No wp* files in ${{ matrix.base-ref.branch-dir }}/tests/"
+          cp -v ${{ matrix.base-ref.branch-dir }}/tests/tpm* pr-branch/tests/ 2>/dev/null || echo "No tpm* files in ${{ matrix.base-ref.branch-dir }}/tests/"
+        fi
+
+        # Copy store files (including TPM NV storage references)
+        if [ -d "${{ matrix.base-ref.branch-dir }}/store" ]; then
+          cp -v ${{ matrix.base-ref.branch-dir }}/store/wp* pr-branch/store/ 2>/dev/null || echo "No wp* files in ${{ matrix.base-ref.branch-dir }}/store/"
+          cp -v ${{ matrix.base-ref.branch-dir }}/store/tpm* pr-branch/store/ 2>/dev/null || echo "No tpm* files in ${{ matrix.base-ref.branch-dir }}/store/"
+        fi
+
+        # Copy token storage files if they exist
+        if [ -d "${{ matrix.base-ref.branch-dir }}/test_token_storage" ]; then
+          cp -rv ${{ matrix.base-ref.branch-dir }}/test_token_storage/* pr-branch/test_token_storage/ 2>/dev/null || echo "No files in ${{ matrix.base-ref.branch-dir }}/test_token_storage/"
+        fi
+
+        echo "=== TPM storage file copy completed ==="
+
+    - name: Test TPM storage format compatibility (${{ matrix.base-ref.name }} → PR)
+      working-directory: ./pr-branch
+      run: |
+        echo "=== Testing TPM storage format compatibility with PR branch ==="
+        echo "This tests that the PR can read TPM storage files created by ${{ matrix.base-ref.name }} branch"
+
+        # List the copied files for verification
+        echo "Files in tests directory:"
+        ls -la tests/wp* tests/tpm* 2>/dev/null || echo "No wp*/tpm* files in tests/"
+        echo "Files in store directory:"
+        ls -la store/wp* store/tpm* 2>/dev/null || echo "No wp*/tpm* files in store/"
+        echo "Files in test_token_storage directory:"
+        ls -la test_token_storage/ 2>/dev/null || echo "No files in test_token_storage/"
+
+        # Check TPM status before running tests
+        echo "=== Checking TPM simulator status ==="
+        ps aux | grep tpm_server || echo "TPM server may not be running"
+
+        # Run the TPM-specific tests with the copied storage files
+        echo "=== Running TPM compatibility tests ==="
+        ./tests/pkcs11test
+        ./tests/object_id_uniqueness_test
+        echo "=== TPM storage format upgrade test (${{ matrix.base-ref.name }} → PR) completed successfully ==="
+
+    # Upload artifacts for debugging if needed
+    - name: Upload TPM storage test artifacts
+      if: failure()
+      uses: actions/upload-artifact@v4
+      with:
+        name: tpm-storage-upgrade-test-artifacts-${{ matrix.base-ref.name }}
+        path: |
+          pr-branch/test-suite.log
+          pr-branch/config.log
+          ${{ matrix.base-ref.branch-dir }}/store/wp*
+          ${{ matrix.base-ref.branch-dir }}/store/tpm*
+          ${{ matrix.base-ref.branch-dir }}/tests/wp*
+          ${{ matrix.base-ref.branch-dir }}/tests/tpm*
+          ${{ matrix.base-ref.branch-dir }}/test_token_storage/
+          ${{ matrix.base-ref.branch-dir }}/test-suite.log
+          ${{ matrix.base-ref.branch-dir }}/config.log
+        retention-days: 5
+
+    # Capture logs on failure with TPM-specific information
+    - name: Upload TPM failure logs
+      if: failure() || cancelled()
+      uses: actions/upload-artifact@v4
+      with:
+        name: tpm-storage-upgrade-test-failure-logs-${{ matrix.base-ref.name }}
+        path: |
+          pr-branch/test-suite.log
+          pr-branch/config.log
+          ${{ matrix.base-ref.branch-dir }}/test-suite.log
+          ${{ matrix.base-ref.branch-dir }}/config.log
+        retention-days: 5
+
+    # Clean up TPM simulator on exit
+    - name: Cleanup TPM simulator
+      if: always()
+      run: |
+        echo "=== Cleaning up TPM simulator ==="
+        pkill -f tpm_server || echo "TPM server was not running"

.gitignore

@@ -34,6 +34,10 @@ coverage.info
 tests/pkcs11test
 tests/pkcs11mtt
 tests/pkcs11str
+tests/object_id_uniqueness_test
+tests/rsa_session_persistence_test
+tests/debug_test
+tests/token_path_test
 examples/add_aes_key
 examples/add_hmac_key
 examples/add_rsa_key

src/internal.c

@@ -477,6 +477,7 @@ typedef struct WP11_Token {
     WP11_Object* object;               /* Linked list of token objects        */
     int objCnt;                        /* Count of objects on token           */
     int tokenFlags;                    /* Flags for token                     */
+    int nextObjId;
 } WP11_Token;
 
 struct WP11_Slot {
@@ -486,7 +487,6 @@ struct WP11_Slot {
     WP11_Lock lock;                    /* Lock for access to slot info        */
 
     int devId;
-    int nextObjId;
 #ifdef WOLFPKCS11_TPM
     WOLFTPM2_DEV tpmDev;
     WOLFTPM2_KEY tpmSrk;
@@ -880,6 +880,7 @@ static int wolfPKCS11_Store_GetMaxSize(int type, int variableSz)
                 FIELD_SIZE(WP11_Token, seed) +
                 FIELD_SIZE(WP11_Token, objCnt) +
                 FIELD_SIZE(WP11_Token, tokenFlags) +
+                FIELD_SIZE(WP11_Token, nextObjId) +
                 variableSz /* soPinLen + userPinLen + (objCnt * long) */
             ;
             break;
@@ -3987,6 +3988,7 @@ static int wp11_Token_Init(WP11_Token* token, const char* label)
     if (ret == 0) {
         token->state = WP11_TOKEN_STATE_INITIALIZED;
         token->loginState = WP11_APP_STATE_RW_PUBLIC;
+        token->nextObjId = 1;
         XMEMCPY(token->label, label, sizeof(token->label));
     }
 
@@ -4130,8 +4132,16 @@ static int wp11_Token_Load(WP11_Slot* slot, int tokenId, WP11_Token* token)
                 if (token->soPinLen > 0) {
                     token->tokenFlags |= WP11_TOKEN_FLAG_SO_PIN_SET;
                 }
+                token->nextObjId = 1;
                 ret = 0;
             }
+            else {
+                ret = wp11_storage_read_int(storage, &token->nextObjId);
+                if (ret == BUFFER_E || token->nextObjId == 0) {
+                    token->nextObjId = 1;
+                    ret = 0;
+                }
+            }
         }
 
         wp11_storage_close(storage);
@@ -4149,7 +4159,7 @@ static int wp11_Token_Load(WP11_Slot* slot, int tokenId, WP11_Token* token)
         }
 
         /* If there is no pin, there is no login, so decode now */
-        if (WP11_Slot_Has_Empty_Pin(slot)) {
+        if (WP11_Slot_Has_Empty_Pin(slot) && (ret == 0)) {
 #ifndef WOLFPKCS11_NO_STORE
             object = token->object;
             while (ret == 0 && object != NULL) {
@@ -4264,6 +4274,11 @@ static int wp11_Token_Store(WP11_Token* token, int tokenId)
             ret = wp11_storage_write_int(storage, token->tokenFlags);
         }
 
+        if (ret == 0) {
+            /* Write next object id. (4) */
+            ret = wp11_storage_write_int(storage, token->nextObjId);
+        }
+
         wp11_storage_close(storage);
 
         object = token->object;
@@ -4414,7 +4429,6 @@ static int wp11_Slot_Init(WP11_Slot* slot, int id)
 
     XMEMSET(slot, 0, sizeof(*slot));
     slot->id = id;
-    slot->nextObjId = 1;
     slot->token.state = WP11_TOKEN_STATE_UNKNOWN;
     slot->token.tokenFlags = 0;
 
@@ -6074,7 +6088,7 @@ int WP11_Session_AddObject(WP11_Session* session, int onToken,
             /* Get next item in list after this object has been added. */
             next = token->object;
             /* Determine handle value */
-            object->handle = OBJ_HANDLE(onToken, session->slot->nextObjId++);
+            object->handle = OBJ_HANDLE(onToken, token->nextObjId++);
             object->next = next;
             token->object = object;
         }
@@ -6092,7 +6106,7 @@ int WP11_Session_AddObject(WP11_Session* session, int onToken,
             /* Get next item in list after this object has been added. */
             next = session->object;
             /* Determine handle value */
-            object->handle = OBJ_HANDLE(onToken, session->slot->nextObjId++);
+            object->handle = OBJ_HANDLE(onToken, token->nextObjId++);
             object->next = next;
             session->object = object;
             object->session = session;

tests/include.am

@@ -31,15 +31,22 @@ noinst_PROGRAMS += tests/debug_test
 tests_debug_test_SOURCES = tests/debug_test.c
 tests_debug_test_LDADD =
 
+check_PROGRAMS += tests/object_id_uniqueness_test
+noinst_PROGRAMS += tests/object_id_uniqueness_test
+tests_object_id_uniqueness_test_SOURCES = tests/object_id_uniqueness_test.c
+tests_object_id_uniqueness_test_LDADD =
+
 if BUILD_STATIC
 tests_pkcs11test_LDADD += src/libwolfpkcs11.la
 tests_pkcs11mtt_LDADD  += src/libwolfpkcs11.la
 tests_pkcs11str_LDADD  += src/libwolfpkcs11.la
 tests_token_path_test_LDADD += src/libwolfpkcs11.la
 tests_rsa_session_persistence_test_LDADD += src/libwolfpkcs11.la
 tests_debug_test_LDADD += src/libwolfpkcs11.la
+tests_object_id_uniqueness_test_LDADD += src/libwolfpkcs11.la
 else
 tests_debug_test_LDADD += src/libwolfpkcs11.la
+tests_object_id_uniqueness_test_LDADD += src/libwolfpkcs11.la
 endif
 
 EXTRA_DIST += tests/unit.h \