Skip to content

Add GitHub Action to test PIN flag upgrade from v1.3.0 to v2.0.0 #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
devin-ai-integration wants to merge 3 commits into from
Closed

Add GitHub Action to test PIN flag upgrade from v1.3.0 to v2.0.0 #155

devin-ai-integration wants to merge 3 commits into from

Conversation

@devin-ai-integration
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot commented Nov 5, 2025

Add GitHub Action to test PIN flag upgrade from v1.3.0 to v2.0.0

Summary

This PR adds a GitHub Action workflow that tests for a PIN flag upgrade bug discovered in wolfPKCS11. When upgrading from v1.3.0 to v2.0.0, tokens with PINs set may not have the WP11_TOKEN_FLAG_USER_PIN_SET flag set in the new version, causing authentication failures.

The workflow:

  1. Builds wolfPKCS11 v1.3.0 and initializes a token with a PIN
  2. Verifies the PIN works correctly in v1.3.0 (establishes baseline)
  3. Builds the PR version (v2.0.0+) and attempts to access the same token
  4. Tests whether the PIN flag is properly detected after upgrade

Important: This test is EXPECTED to fail on current master because the bug exists and hasn't been fixed yet. The test serves to reproduce the issue so a fix can be developed and validated.

Unlike PR #154, this workflow is simplified (no TPM) to focus specifically on the file-based storage PIN flag issue.

Review & Testing Checklist for Human

⚠️ CRITICAL: This workflow has never been run on GitHub Actions and is expected to fail initially (by design, to reproduce the bug).

  • Run the workflow manually on this PR to verify it executes without errors through all build steps
  • Verify bug reproduction - Confirm the test fails at the v2.0.0 login step with error 0x00000102 (CKR_USER_PIN_NOT_INITIALIZED) and displays the "BUG DETECTED" message
  • Check test program compilation - Ensure both verify_pin_1.3.0.c and verify_pin_2.0.0.c compile successfully with the relative include paths
  • Verify token path consistency - Confirm the WOLFPKCS11_TOKEN_PATH environment variable properly propagates across workflow steps so v2.0.0 finds the v1.3.0 token
  • Review failure message - Ensure the failure output clearly explains the bug and expected vs actual behavior

Test Plan

  1. Trigger this workflow on the PR (will run automatically or use workflow_dispatch)
  2. Verify the v1.3.0 baseline test passes (PIN initialization and login work)
  3. Verify the v2.0.0 upgrade test fails with the expected error showing the bug
  4. Check the workflow output for clear diagnostic messages
  5. Once a fix is implemented, this same test should pass end-to-end

Notes

  • The user mentioned some other GitHub Actions tests may fail at this stage, which is a known issue to be solved later
  • This workflow is based on the upgrade testing pattern from PR Add GitHub Action workflow for TPM corruption testing #154 but simplified for file-based storage
  • The embedded test programs use debug output to make troubleshooting easier
  • The workflow uses WOLFPKCS11_TOKEN_PATH environment variable to ensure both versions access the same token storage

Link to Devin run: https://app.devin.ai/sessions/899f11a4b0ab46cc835b55b8b785904a
Requested by: andrew@wolfssl.com (andrew@wolfssl.com)

@devin-ai-integration @LinuxJedi
Add GitHub Action to test PIN flag upgrade from v1.3.0 to v2.0.0
b8cf899 
This workflow tests the issue where upgrading from wolfPKCS11 v1.3.0 to
v2.0.0+ can result in the WP11_TOKEN_FLAG_USER_PIN_SET flag not being
set when a PIN was configured in the old version.

The test:
1. Builds wolfPKCS11 v1.3.0 and initializes a token with a PIN
2. Verifies the PIN works in v1.3.0
3. Builds the PR version (v2.0.0+)
4. Tests if the PIN flag is properly detected after upgrade

This is a simplified version without TPM to focus on the PIN flag issue.

Co-Authored-By: andrew@wolfssl.com <andrew@wolfssl.com>
@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Nov 5, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@wolfSSL-Bot
Copy link

wolfSSL-Bot commented Nov 5, 2025

Can one of the admins verify this patch?

devin-ai-integration bot and others added 2 commits November 5, 2025 14:39
@devin-ai-integration @LinuxJedi
Fix workflow: replace examples/init_token with inline C program
8be9856 
The workflow failed because v1.3.0 doesn't have examples/init_token.
This commit fixes the issue by:

1. Creating an inline token initialization program that uses PKCS#11 API
   directly (C_InitToken + C_InitPIN) to set up the token with a PIN
2. Pinning wolfSSL to v5.8.2-stable for compatibility with v1.3.0
3. Using consistent WOLFPKCS11_TOKEN_PATH env variable across all steps
4. Adding distinct exit code (100) for the expected bug (CKR_USER_PIN_NOT_INITIALIZED)
   to distinguish from workflow/setup errors
5. Improving error handling and diagnostics in the workflow

The test is expected to fail with exit code 100, confirming the bug where
WP11_TOKEN_FLAG_USER_PIN_SET is not set when upgrading from v1.3.0 to v2.0.0.

Co-Authored-By: andrew@wolfssl.com <andrew@wolfssl.com>
@devin-ai-integration @LinuxJedi
Add TPM variant of PIN flag upgrade test
35523ba 
This adds a separate workflow to test the PIN flag upgrade issue
from v1.3.0 to v2.0.0 using TPM storage (WOLFPKCS11_TPM_STORE).

The workflow:
1. Sets up ibmswtpm2 (software TPM simulator) and wolfTPM
2. Builds wolfPKCS11 v1.3.0 with TPM support and initializes a token with PIN
3. Stops/restarts TPM server to flush NVChip (persists TPM state)
4. Builds PR version (v2.0.0+) with TPM support
5. Tests if the PIN flag is properly detected after upgrade

This follows the pattern from PR #154 but uses inline C programs
for token initialization and verification. The test uses exit code 100
for the expected bug (CKR_USER_PIN_NOT_INITIALIZED) to distinguish
from workflow errors.

Co-Authored-By: andrew@wolfssl.com <andrew@wolfssl.com>
@LinuxJedi
Copy link
Member

LinuxJedi commented Nov 5, 2025

Closing this, it isn't a problem for 1.3.0 -> 2.0.0. Only for an intermediate version that was not released.

@LinuxJedi LinuxJedi closed this Nov 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wolfSSL-Bot @LinuxJedi