Add wolfBoot testing to wolfPKCS11

.github/workflows/clang-tidy.yml

@@ -76,6 +76,14 @@ jobs:
         sudo ldconfig
         cd ..
 
+    # Fetch wolfBoot sources for custom store builds
+    - name: Fetch wolfBoot sources
+      run: |
+        WOLFBOOT_DIR="${RUNNER_TEMP:-/tmp}/wolfBoot"
+        rm -rf "$WOLFBOOT_DIR"
+        git clone --depth 1 --branch master https://github.com/wolfSSL/wolfBoot.git "$WOLFBOOT_DIR"
+        echo "WOLFBOOT_DIR=$WOLFBOOT_DIR" >> "$GITHUB_ENV"
+
     # Setup IBM Software TPM (only if TPM enabled)
     - name: Setup IBM Software TPM
       if: contains(matrix.config.configure_flags, '--enable-tpm')
@@ -109,9 +117,9 @@ jobs:
       run: |
         ./autogen.sh
         if [ -n "${{ matrix.config.configure_flags }}" ]; then
-          CC=clang CXX=clang++ ./configure --enable-all --enable-debug ${{ matrix.config.configure_flags }}
+          CC=clang CXX=clang++ ./configure --enable-all --enable-debug --with-wolfboot="${WOLFBOOT_DIR}" ${{ matrix.config.configure_flags }}
         else
-          CC=clang CXX=clang++ ./configure --enable-all --enable-debug
+          CC=clang CXX=clang++ ./configure --enable-all --enable-debug --with-wolfboot="${WOLFBOOT_DIR}"
         fi
         bear -- make -j$(nproc)
 

.github/workflows/wolfboot-build.yml

@@ -0,0 +1,71 @@
+name: Build wolfBoot integration
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build wolfPKCS11 with wolfBoot store
+    runs-on: ubuntu-24.04
+    env:
+      DEBIAN_FRONTEND: noninteractive
+      LD_LIBRARY_PATH: /usr/local/lib
+      PKG_CONFIG_PATH: /usr/local/lib/pkgconfig
+      WOLFSSL_REF: v5.8.0-stable
+      WOLFBOOT_REF: master
+      WOLFBOOT_DIR: /tmp/wolfBoot
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            autoconf \
+            automake \
+            build-essential \
+            ca-certificates \
+            git \
+            libssl-dev \
+            libtool \
+            make \
+            pkg-config \
+            python3 \
+            gdb
+
+      - name: Build and install wolfSSL
+        run: |
+          git clone --depth 1 --branch "${WOLFSSL_REF}" https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl
+          cd /tmp/wolfssl
+          ./autogen.sh
+          ./configure --enable-debug --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen \
+            --enable-pwdbased --enable-scrypt "C_EXTRA_FLAGS=-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
+          make -j"$(nproc)"
+          sudo make install
+          sudo ldconfig
+
+      - name: Fetch wolfBoot sources
+        run: |
+          git clone --depth 1 --branch "${WOLFBOOT_REF}" https://github.com/wolfSSL/wolfBoot.git "${WOLFBOOT_DIR}"
+
+      - name: Build wolfPKCS11
+        run: |
+          ./autogen.sh
+          ./configure --enable-debug --with-wolfboot="${WOLFBOOT_DIR}" CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
+          make -j"$(nproc)"
+
+      - name: Run tests
+        run: make test
+
+      - name: Archive test-suite.log on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolfboot-test-suite-log
+          path: test-suite.log
+          if-no-files-found: ignore

.gitignore

@@ -48,6 +48,7 @@ examples/mech_info
 examples/obj_list
 examples/slot_info
 examples/token_info
+examples/nss_pkcs12_pbe_example
 store/wp11*
 store/object
 store/pkcs11mtt

Docker/include.am

@@ -1 +1,3 @@
 EXTRA_DIST+= Docker/packaging/debian/Dockerfile
+EXTRA_DIST+= Docker/firefox/Dockerfile
+EXTRA_DIST+= Docker/wolfboot/Dockerfile

Docker/wolfboot/Dockerfile

@@ -0,0 +1,45 @@
+FROM ubuntu:24.04
+
+ARG WOLFSSL_REF=v5.8.0-stable
+ARG WOLFBOOT_REF=master
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV LD_LIBRARY_PATH=/usr/local/lib
+ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        autoconf \
+        automake \
+        build-essential \
+        ca-certificates \
+        git \
+        libssl-dev \
+        libtool \
+        make \
+        pkg-config \
+        python3 \
+        gdb \
+    && rm -rf /var/lib/apt/lists/*
+
+# Build and install wolfSSL
+RUN git clone --depth 1 --branch ${WOLFSSL_REF} https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl \
+    && cd /tmp/wolfssl \
+    && ./autogen.sh \
+    && ./configure --enable-debug --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen \
+        --enable-pwdbased --enable-scrypt "C_EXTRA_FLAGS=-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP" \
+    && make -j"$(nproc)" \
+    && make install \
+    && ldconfig \
+    && rm -rf /tmp/wolfssl
+
+# Fetch wolfBoot sources that provide the custom store implementation
+RUN git clone --depth 1 --branch ${WOLFBOOT_REF} https://github.com/wolfSSL/wolfBoot.git /opt/wolfBoot
+
+WORKDIR /wolfpkcs11
+COPY . /wolfpkcs11
+
+RUN ./autogen.sh \
+    && ./configure --enable-debug --with-wolfboot=/opt/wolfBoot CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" \
+    && make -j"$(nproc)"
+
+#RUN make check

README.md

@@ -73,6 +73,11 @@ Enables debugging printf's for store.
 Removes default implementation of storage functions.
 See wolfpkcs11/store.h for prototypes of functions to implement.
 
+To exercise the wolfBoot storage backend during host-based testing, configure
+with `./configure --with-wolfboot=/path/to/wolfBoot`. This enables
+`WOLFPKCS11_CUSTOM_STORE` automatically and links the test harness against the
+wolfBoot implementation of the store API.
+
 #### Define WOLFPKCS11_KEYPAIR_GEN_COMMON_LABEL
 
 Sets the private key's label against the public key when generating key pairs.
@@ -287,4 +292,3 @@ Adds backend support for TPM 2.0 using wolfTPM. Adds AES CBC key wrap / unwrap s
 ### wolfPKCS11 Release 1.0 (October 20, 2021)
 
 * Initial PKCS11 support
-

configure.ac

@@ -31,6 +31,8 @@ AC_PROG_INSTALL
 AC_ARG_PROGRAM
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([wolfpkcs11/config.h])
+m4_ifndef([AS_MESSAGE_LOG_FD],[m4_define([AS_MESSAGE_LOG_FD],[0])])
+m4_pattern_allow([AS_MESSAGE_LOG_FD])
 
 # shared library versioning
 # The three numbers in the libpkcs11.so.*.*.* file name. Unfortunately
@@ -78,6 +80,36 @@ AC_CHECK_SIZEOF([long], 4)
 AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday inet_ntoa memset socket getpid])
 AC_CHECK_LIB([network],[socket])
 
+WOLFBOOT_CPPFLAGS=""
+WOLFBOOT_STORE_ENABLED=no
+
+AC_ARG_WITH([wolfboot],
+    [AS_HELP_STRING([--with-wolfboot=PATH],
+        [Enable the wolfBoot-backed test storage adapter using the wolfBoot sources located at PATH])],
+    [with_wolfboot="$withval"],
+    [with_wolfboot=""])
+
+AS_IF([test "x$with_wolfboot" = "xyes"],
+      [AC_MSG_ERROR([--with-wolfboot requires a path to the wolfBoot source tree])])
+
+AS_IF([test "x$with_wolfboot" != "x" && test "x$with_wolfboot" != "xno"],
+      [if test ! -d "$with_wolfboot"; then
+           echo "configure: error: wolfBoot source directory $with_wolfboot not found" >&2
+           exit 1
+       fi
+       if test ! -f "$with_wolfboot/src/pkcs11_store.c"; then
+           echo "configure: error: wolfBoot PKCS#11 store source not found in $with_wolfboot/src" >&2
+           exit 1
+       fi
+       AC_DEFINE([HAVE_WOLFBOOT_STORE], [1],
+           [Define to 1 if wolfBoot custom storage support is enabled])
+       AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFPKCS11_CUSTOM_STORE -DWOLFPKCS11_WOLFBOOT_STORE"
+       WOLFBOOT_CPPFLAGS="-I$with_wolfboot/include -I$with_wolfboot/src -I$with_wolfboot/tools/unit-tests"
+       WOLFBOOT_STORE_ENABLED=yes])
+
+AM_CONDITIONAL([HAVE_WOLFBOOT_STORE], [test "x$WOLFBOOT_STORE_ENABLED" = "xyes"])
+AC_SUBST([WOLFBOOT_CPPFLAGS])
+
 # DEBUG
 DEBUG_CFLAGS="-g -O0 -DDEBUG_WOLFPKCS11"
 

src/crypto.c

@@ -6411,7 +6411,6 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 case CKP_PKCS5_PBKD2_HMAC_SHA512:
                     hashType = WC_SHA512;
                     break;
-#endif
 #ifndef WOLFSSL_NOSHA512_224
                 case CKP_PKCS5_PBKD2_HMAC_SHA512_224:
                     hashType = WC_SHA512_224;
@@ -6421,6 +6420,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 case CKP_PKCS5_PBKD2_HMAC_SHA512_256:
                     hashType = WC_SHA512_256;
                     break;
+#endif
 #endif
                 default:
                     return CKR_MECHANISM_PARAM_INVALID;

src/include.am

@@ -10,8 +10,13 @@ src_libwolfpkcs11_la_SOURCES = \
         src/slot.c \
         src/crypto.c
 
+if HAVE_WOLFBOOT_STORE
+src_libwolfpkcs11_la_SOURCES += \
+        src/wolfboot_store_adapter.c
+endif
+
 src_libwolfpkcs11_la_CFLAGS       = -DBUILDING_WOLFPKCS11 $(AM_CFLAGS)
-src_libwolfpkcs11_la_CPPFLAGS     = -DBUILDING_WOLFPKCS11 $(AM_CPPFLAGS)
+src_libwolfpkcs11_la_CPPFLAGS     = -DBUILDING_WOLFPKCS11 $(AM_CPPFLAGS) $(WOLFBOOT_CPPFLAGS)
 src_libwolfpkcs11_la_LDFLAGS      = ${AM_LDFLAGS} -no-undefined -version-number ${WOLFPKCS11_LIBRARY_VERSION}
 
 #src_libwolfpkcs11_la_DEPENDENCIES =