Add wolfBoot testing to wolfPKCS11

wolfBoot implements its own storage, we need to make sure we don't break
it.

Author: LinuxJedi

.github/workflows/clang-tidy.yml

@@ -76,6 +76,14 @@ jobs:
         sudo ldconfig
         cd ..
 
+    # Fetch wolfBoot sources for custom store builds
+    - name: Fetch wolfBoot sources
+      run: |
+        WOLFBOOT_DIR="${RUNNER_TEMP:-/tmp}/wolfBoot"
+        rm -rf "$WOLFBOOT_DIR"
+        git clone --depth 1 --branch master https://github.com/wolfSSL/wolfBoot.git "$WOLFBOOT_DIR"
+        echo "WOLFBOOT_DIR=$WOLFBOOT_DIR" >> "$GITHUB_ENV"
+
     # Setup IBM Software TPM (only if TPM enabled)
     - name: Setup IBM Software TPM
       if: contains(matrix.config.configure_flags, '--enable-tpm')
@@ -109,9 +117,9 @@ jobs:
       run: |
         ./autogen.sh
         if [ -n "${{ matrix.config.configure_flags }}" ]; then
-          CC=clang CXX=clang++ ./configure --enable-all --enable-debug ${{ matrix.config.configure_flags }}
+          CC=clang CXX=clang++ ./configure --enable-all --enable-debug --with-wolfboot="${WOLFBOOT_DIR}" ${{ matrix.config.configure_flags }}
         else
-          CC=clang CXX=clang++ ./configure --enable-all --enable-debug
+          CC=clang CXX=clang++ ./configure --enable-all --enable-debug --with-wolfboot="${WOLFBOOT_DIR}"
         fi
         bear -- make -j$(nproc)
 

.github/workflows/wolfboot-build.yml

@@ -0,0 +1,63 @@
+name: Build wolfBoot integration
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build wolfPKCS11 with wolfBoot store
+    runs-on: ubuntu-24.04
+    env:
+      DEBIAN_FRONTEND: noninteractive
+      LD_LIBRARY_PATH: /usr/local/lib
+      PKG_CONFIG_PATH: /usr/local/lib/pkgconfig
+      WOLFSSL_REF: v5.8.0-stable
+      WOLFBOOT_REF: master
+      WOLFBOOT_DIR: /tmp/wolfBoot
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            autoconf \
+            automake \
+            build-essential \
+            ca-certificates \
+            git \
+            libssl-dev \
+            libtool \
+            make \
+            pkg-config \
+            python3 \
+            gdb
+
+      - name: Build and install wolfSSL
+        run: |
+          git clone --depth 1 --branch "${WOLFSSL_REF}" https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl
+          cd /tmp/wolfssl
+          ./autogen.sh
+          ./configure --enable-debug --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen \
+            --enable-pwdbased --enable-scrypt "C_EXTRA_FLAGS=-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
+          make -j"$(nproc)"
+          sudo make install
+          sudo ldconfig
+
+      - name: Fetch wolfBoot sources
+        run: |
+          git clone --depth 1 --branch "${WOLFBOOT_REF}" https://github.com/wolfSSL/wolfBoot.git "${WOLFBOOT_DIR}"
+
+      - name: Build wolfPKCS11
+        run: |
+          ./autogen.sh
+          ./configure --enable-debug --with-wolfboot="${WOLFBOOT_DIR}" CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
+          make -j"$(nproc)"
+
+      - name: Run tests
+        run: make test

Docker/include.am

@@ -1 +1,3 @@
 EXTRA_DIST+= Docker/packaging/debian/Dockerfile
+EXTRA_DIST+= Docker/firefox/Dockerfile
+EXTRA_DIST+= Docker/wolfboot/Dockerfile

Docker/wolfboot/Dockerfile

@@ -0,0 +1,45 @@
+FROM ubuntu:24.04
+
+ARG WOLFSSL_REF=v5.8.0-stable
+ARG WOLFBOOT_REF=master
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV LD_LIBRARY_PATH=/usr/local/lib
+ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        autoconf \
+        automake \
+        build-essential \
+        ca-certificates \
+        git \
+        libssl-dev \
+        libtool \
+        make \
+        pkg-config \
+        python3 \
+        gdb \
+    && rm -rf /var/lib/apt/lists/*
+
+# Build and install wolfSSL
+RUN git clone --depth 1 --branch ${WOLFSSL_REF} https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl \
+    && cd /tmp/wolfssl \
+    && ./autogen.sh \
+    && ./configure --enable-debug --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen \
+        --enable-pwdbased --enable-scrypt "C_EXTRA_FLAGS=-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP" \
+    && make -j"$(nproc)" \
+    && make install \
+    && ldconfig \
+    && rm -rf /tmp/wolfssl
+
+# Fetch wolfBoot sources that provide the custom store implementation
+RUN git clone --depth 1 --branch ${WOLFBOOT_REF} https://github.com/wolfSSL/wolfBoot.git /opt/wolfBoot
+
+WORKDIR /wolfpkcs11
+COPY . /wolfpkcs11
+
+RUN ./autogen.sh \
+    && ./configure --enable-debug --with-wolfboot=/opt/wolfBoot CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" \
+    && make -j"$(nproc)"
+
+#RUN make check

README.md

@@ -73,6 +73,11 @@ Enables debugging printf's for store.
 Removes default implementation of storage functions.
 See wolfpkcs11/store.h for prototypes of functions to implement.
 
+To build and test with the wolfBoot storage backend, configure with
+`./configure --with-wolfboot=/path/to/wolfBoot`. This enables
+`WOLFPKCS11_CUSTOM_STORE` automatically and links against the wolfBoot
+implementation of the store API.
+
 #### Define WOLFPKCS11_KEYPAIR_GEN_COMMON_LABEL
 
 Sets the private key's label against the public key when generating key pairs.

configure.ac

@@ -31,6 +31,8 @@ AC_PROG_INSTALL
 AC_ARG_PROGRAM
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([wolfpkcs11/config.h])
+m4_ifndef([AS_MESSAGE_LOG_FD],[m4_define([AS_MESSAGE_LOG_FD],[0])])
+m4_pattern_allow([AS_MESSAGE_LOG_FD])
 
 # shared library versioning
 # The three numbers in the libpkcs11.so.*.*.* file name. Unfortunately
@@ -78,6 +80,36 @@ AC_CHECK_SIZEOF([long], 4)
 AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday inet_ntoa memset socket getpid])
 AC_CHECK_LIB([network],[socket])
 
+WOLFBOOT_CPPFLAGS=""
+WOLFBOOT_STORE_ENABLED=no
+
+AC_ARG_WITH([wolfboot],
+    [AS_HELP_STRING([--with-wolfboot=PATH],
+        [Enable wolfBoot-backed token storage using the wolfBoot sources located at PATH])],
+    [with_wolfboot="$withval"],
+    [with_wolfboot=""])
+
+AS_IF([test "x$with_wolfboot" = "xyes"],
+      [AC_MSG_ERROR([--with-wolfboot requires a path to the wolfBoot source tree])])
+
+AS_IF([test "x$with_wolfboot" != "x" && test "x$with_wolfboot" != "xno"],
+      [if test ! -d "$with_wolfboot"; then
+           echo "configure: error: wolfBoot source directory $with_wolfboot not found" >&2
+           exit 1
+       fi
+       if test ! -f "$with_wolfboot/src/pkcs11_store.c"; then
+           echo "configure: error: wolfBoot PKCS#11 store source not found in $with_wolfboot/src" >&2
+           exit 1
+       fi
+       AC_DEFINE([HAVE_WOLFBOOT_STORE], [1],
+           [Define to 1 if wolfBoot custom storage support is enabled])
+       AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFPKCS11_CUSTOM_STORE -DWOLFPKCS11_WOLFBOOT_STORE"
+       WOLFBOOT_CPPFLAGS="-I$with_wolfboot/include -I$with_wolfboot/src -I$with_wolfboot/tools/unit-tests"
+       WOLFBOOT_STORE_ENABLED=yes])
+
+AM_CONDITIONAL([HAVE_WOLFBOOT_STORE], [test "x$WOLFBOOT_STORE_ENABLED" = "xyes"])
+AC_SUBST([WOLFBOOT_CPPFLAGS])
+
 # DEBUG
 DEBUG_CFLAGS="-g -O0 -DDEBUG_WOLFPKCS11"
 

src/crypto.c

@@ -6411,7 +6411,6 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 case CKP_PKCS5_PBKD2_HMAC_SHA512:
                     hashType = WC_SHA512;
                     break;
-#endif
 #ifndef WOLFSSL_NOSHA512_224
                 case CKP_PKCS5_PBKD2_HMAC_SHA512_224:
                     hashType = WC_SHA512_224;
@@ -6421,6 +6420,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 case CKP_PKCS5_PBKD2_HMAC_SHA512_256:
                     hashType = WC_SHA512_256;
                     break;
+#endif
 #endif
                 default:
                     return CKR_MECHANISM_PARAM_INVALID;

src/include.am

@@ -10,8 +10,13 @@ src_libwolfpkcs11_la_SOURCES = \
         src/slot.c \
         src/crypto.c
 
+if HAVE_WOLFBOOT_STORE
+src_libwolfpkcs11_la_SOURCES += \
+        src/wolfboot_store_adapter.c
+endif
+
 src_libwolfpkcs11_la_CFLAGS       = -DBUILDING_WOLFPKCS11 $(AM_CFLAGS)
-src_libwolfpkcs11_la_CPPFLAGS     = -DBUILDING_WOLFPKCS11 $(AM_CPPFLAGS)
+src_libwolfpkcs11_la_CPPFLAGS     = -DBUILDING_WOLFPKCS11 $(AM_CPPFLAGS) $(WOLFBOOT_CPPFLAGS)
 src_libwolfpkcs11_la_LDFLAGS      = ${AM_LDFLAGS} -no-undefined -version-number ${WOLFPKCS11_LIBRARY_VERSION}
 
 #src_libwolfpkcs11_la_DEPENDENCIES =

src/internal.c

@@ -2336,23 +2336,24 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest)
     dest->category = src->category;
     dest->devId    = src->devId;
 
-    if (src->objClass == CKO_CERTIFICATE) {
+#if defined(WOLFPKCS11_NSS)
+    if (src->objClass == CKO_CERTIFICATE || src->objClass == CKO_NSS_TRUST) {
         return BAD_FUNC_ARG;
     }
-#ifdef WOLFPKCS11_NSS
-    else if (src->objClass == CKO_NSS_TRUST) {
+#else
+    if (src->objClass == CKO_CERTIFICATE) {
         return BAD_FUNC_ARG;
     }
 #endif
-    else {
+
 #ifdef WOLFPKCS11_TPM
-        /* Handle TPM keys - copy tpmKey structure directly */
-        if (src->opFlag & WP11_FLAG_TPM) {
-            /* Copy the TPM key blob structure directly */
-            XMEMCPY(dest->tpmKey, src->tpmKey, sizeof(WOLFTPM2_KEYBLOB));
+    /* Handle TPM keys - copy tpmKey structure directly */
+    if (src->opFlag & WP11_FLAG_TPM) {
+        /* Copy the TPM key blob structure directly */
+        XMEMCPY(dest->tpmKey, src->tpmKey, sizeof(WOLFTPM2_KEYBLOB));
 
-            /* Initialize TPM handle to NULL for the destination */
-            dest->tpmKey->handle.hndl = TPM_RH_NULL;
+        /* Initialize TPM handle to NULL for the destination */
+        dest->tpmKey->handle.hndl = TPM_RH_NULL;
 
             /* Initialize the wolf key structures based on key type */
             switch (src->type) {
@@ -2395,12 +2396,13 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest)
                 }
             }
         }
-        else
+    }
+    else
 #endif
-        {
-            switch (src->type) {
+    {
+        switch (src->type) {
 #ifndef NO_RSA
-                case CKK_RSA: {
+            case CKK_RSA: {
                     byte* derBuf = NULL;
                     int derSz = 0;
 
@@ -4739,14 +4741,17 @@ static int wp11_Object_Encode(WP11_Object* object, int protect)
 {
     int ret;
 
+    int is_plain_class;
+
 #ifdef WOLFPKCS11_NSS
-    if ((object->objClass == CKO_CERTIFICATE) ||
-        (object->objClass == CKO_NSS_TRUST))
+    is_plain_class = (object->objClass == CKO_CERTIFICATE) ||
+        (object->objClass == CKO_NSS_TRUST) ||
+        (object->objClass == CKO_DATA);
 #else
-    if (object->objClass == CKO_CERTIFICATE)
+    is_plain_class = (object->objClass == CKO_CERTIFICATE) ||
+        (object->objClass == CKO_DATA);
 #endif
-        ret = 0;
-    else if (object->objClass == CKO_DATA) {
+    if (is_plain_class) {
         ret = 0;
     }
     else {
@@ -8957,15 +8962,14 @@ int WP11_Object_GetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data,
                 ret = NOT_AVAILABLE_E;
 #endif
             }
-            else if (object->objClass == CKO_SECRET_KEY) {
 #ifdef HAVE_AESECB
+            else if (object->objClass == CKO_SECRET_KEY) {
                 ret = GetEcbCheckValue(object, data, len);
-#else
-                ret = NOT_AVAILABLE_E;
-#endif
             }
-            else
+#endif
+            else {
                 ret = NOT_AVAILABLE_E;
+            }
             break;
 
         default:
@@ -9298,11 +9302,9 @@ int WP11_Object_SetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data,
             }
             break;
         case CKA_VALUE:
-            if (object->objClass == CKO_CERTIFICATE) {
-                break; /* Handled in WP11_Object_SetCert */
-            }
-            else if (object->objClass == CKO_DATA) {
-                break; /* Handled in WP11_Object_SetDataObject */
+            if ((object->objClass == CKO_CERTIFICATE) ||
+                (object->objClass == CKO_DATA)) {
+                break; /* Handled in WP11_Object_SetCert/DataObject */
             }
             switch (object->type) {
 #ifdef HAVE_ECC
@@ -9325,18 +9327,8 @@ int WP11_Object_SetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data,
             }
             break;
         case CKA_APPLICATION:
-            if (object->objClass == CKO_DATA) {
-                /* Handled in WP11_Object_DataObject */
-            }
-            else {
-                ret = BAD_FUNC_ARG;
-            }
-            break;
         case CKA_OBJECT_ID:
-            if (object->objClass == CKO_DATA) {
-                /* Handled in WP11_Object_DataObject */
-            }
-            else {
+            if (object->objClass != CKO_DATA) {
                 ret = BAD_FUNC_ARG;
             }
             break;