fi
.setup_softhsm: &setup_softhsm |
- sh -x bin/tests/prepare-softhsm2.sh
+ export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh)
+ test -n "${SLOT}" && test "${SLOT}" -gt 0
.system_test: &system_test_job
<<: *default_triggering_rules
echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}"
echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}"
echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}"
- softhsm2-util --init-token --free --pin 0000 --so-pin 0000 --label "softhsm2";
+ softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
fi
exit 0
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+set -e
+
rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
rm -f dig.out* pin upd.log*
rm -f ns1/*.key ns1/named.memstats
rm -f supported
+rm -f ns*/named.run
rm -f ns*/named.lock
rm -f ns*/managed-keys.bind*
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-echo "I:(Native PKCS#11)" >&2
-ecxfail=0
-
-$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
-
-rm -f supported
-touch supported
-echo rsa >> supported
-echo ecc >> supported
-if [ $ecxfail = 0 ]; then
- echo ecx >> supported
-fi
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+set -e
+
SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
. $SYSTEMTESTTOP/conf.sh
+echo "I:(Native PKCS#11)" >&2
+ecxfail=0
+
+$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
+
+rm -f supported
+touch supported
+echo rsa >> supported
+echo ecc >> supported
+if [ $ecxfail = 0 ]; then
+ echo ecx >> supported
+fi
+
infile=ns1/example.db.in
-/bin/echo -n ${HSMPIN:-1234}> pin
-PWD=`pwd`
+printf '%s' "${HSMPIN:-1234}" > pin
+PWD=$(pwd)
zone=rsa.example
zonefile=ns1/rsa.example.db
-have_rsa=`grep rsa supported`
+have_rsa=$(grep rsa supported || true)
if [ "x$have_rsa" != "x" ]; then
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
- rsazsk1=`$KEYFRLAB -a RSASHA1 \
- -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example`
- rsazsk2=`$KEYFRLAB -a RSASHA1 \
- -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example`
- rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
- -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example`
+ rsazsk1=$($KEYFRLAB -a RSASHA1 \
+ -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example)
+ rsazsk2=$($KEYFRLAB -a RSASHA1 \
+ -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example)
+ rsaksk=$($KEYFRLAB -a RSASHA1 -f ksk \
+ -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example)
- cat $infile $rsazsk1.key $rsaksk.key > $zonefile
+ cat $infile "$rsazsk1".key "$rsaksk".key > $zonefile
$SIGNER -a -P -g -o $zone $zonefile \
> /dev/null 2> signer.err || cat signer.err
- cp $rsazsk2.key ns1/rsa.key
+ cp "$rsazsk2".key ns1/rsa.key
mv Krsa* ns1
else
# RSA not available and will not be tested; make a placeholder
zone=ecc.example
zonefile=ns1/ecc.example.db
-have_ecc=`grep ecc supported`
+have_ecc=$(grep ecc supported || true)
if [ "x$have_ecc" != "x" ]; then
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
$PK11GEN -a ECC -b 384 -l robie-ecc-ksk
- ecczsk1=`$KEYFRLAB -a ECDSAP256SHA256 \
- -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example`
- ecczsk2=`$KEYFRLAB -a ECDSAP256SHA256 \
- -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example`
- eccksk=`$KEYFRLAB -a ECDSAP384SHA384 -f ksk \
- -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example`
+ ecczsk1=$($KEYFRLAB -a ECDSAP256SHA256 \
+ -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example)
+ ecczsk2=$($KEYFRLAB -a ECDSAP256SHA256 \
+ -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example)
+ eccksk=$($KEYFRLAB -a ECDSAP384SHA384 -f ksk \
+ -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example)
- cat $infile $ecczsk1.key $eccksk.key > $zonefile
+ cat $infile "$ecczsk1".key "$eccksk".key > $zonefile
$SIGNER -a -P -g -o $zone $zonefile \
> /dev/null 2> signer.err || cat signer.err
- cp $ecczsk2.key ns1/ecc.key
+ cp "$ecczsk2".key ns1/ecc.key
mv Kecc* ns1
else
# ECC not available and will not be tested; make a placeholder
zone=ecx.example
zonefile=ns1/ecx.example.db
-have_ecx=`grep ecx supported`
+have_ecx=$(grep ecx supported || true)
if [ "x$have_ecx" != "x" ]; then
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
$PK11GEN -a ECX -b 256 -l robie-ecx-ksk
# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
- ecxzsk1=`$KEYFRLAB -a ED25519 \
- -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example`
- ecxzsk2=`$KEYFRLAB -a ED25519 \
- -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example`
- ecxksk=`$KEYFRLAB -a ED25519 -f ksk \
- -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
+ ecxzsk1=$($KEYFRLAB -a ED25519 \
+ -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example)
+ ecxzsk2=$($KEYFRLAB -a ED25519 \
+ -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example)
+ ecxksk=$($KEYFRLAB -a ED25519 -f ksk \
+ -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example)
# ecxksk=`$KEYFRLAB -a ED448 -f ksk \
# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
- cat $infile $ecxzsk1.key $ecxksk.key > $zonefile
+ cat $infile "$ecxzsk1".key "$ecxksk".key > $zonefile
$SIGNER -a -P -g -o $zone $zonefile \
> /dev/null 2> signer.err || cat signer.err
- cp $ecxzsk2.key ns1/ecx.key
+ cp "$ecxzsk2".key ns1/ecx.key
mv Kecx* ns1
else
# ECX not available and will not be tested; make a placeholder
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+set -e
+
SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
. $SYSTEMTESTTOP/conf.sh
-DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+dig_with_opts() {
+ $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300 "$@"
+}
status=0
ret=0
algs=""
-have_rsa=`grep rsa supported`
+have_rsa=$(grep rsa supported || true)
if [ "x$have_rsa" != "x" ]; then
algs="rsa "
fi
-have_ecc=`grep ecc supported`
+have_ecc=$(grep ecc supported || true)
if [ "x$have_ecc" != "x" ]; then
algs=$algs"ecc "
fi
-have_ecx=`grep ecc supported`
+have_ecx=$(grep ecx supported || true)
if [ "x$have_ecx" != "x" ]; then
algs=$algs"ecx "
fi
for alg in $algs; do
zonefile=ns1/$alg.example.db
echo "I:testing PKCS#11 key generation ($alg)"
- count=`$PK11LIST | grep robie-$alg-ksk | wc -l`
- if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+ count=$($PK11LIST | grep -c "robie-$alg-ksk" || true)
+ if [ "$count" -ne 2 ]; then echo "I:failed"; status=1; fi
echo "I:testing offline signing with PKCS#11 keys ($alg)"
- count=`grep RRSIG $zonefile.signed | wc -l`
- if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+ count=$(grep -c RRSIG "$zonefile.signed" || true)
+ if [ "$count" -ne 12 ]; then echo "I:failed"; status=1; fi
echo "I:testing inline signing with PKCS#11 keys ($alg)"
- $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg.0 || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
- count0=`grep RRSIG dig.out.$alg.0 | wc -l`
+ dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg.0" || ret=1
+ if [ $ret -ne 0 ]; then echo "I:failed"; fi
+ status=$((status + ret))
+ count0=$(grep -c RRSIG "dig.out.$alg.0" || true)
- $NSUPDATE -v > upd.log.$alg <<END || status=1
+ $NSUPDATE -v > "upd.log.$alg" <<END || status=1
server 10.53.0.1 5300
ttl 300
zone $alg.example.
-update add `grep -v ';' ns1/${alg}.key`
+update add $(grep -v ';' "ns1/${alg}.key" || true)
send
END
echo "I:waiting 20 seconds for key changes to take effect"
sleep 20
- $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
- count=`grep RRSIG dig.out.$alg | wc -l`
- if [ $count -le $count0 ]; then echo "I:failed"; status=1; fi
+ dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg" || ret=1
+ if [ $ret -ne 0 ]; then echo "I:failed"; fi
+ status=$((status + ret))
+ count=$(grep -c RRSIG "dig.out.$alg" || true)
+ if [ "$count" -le "$count0" ]; then echo "I:failed"; status=1; fi
echo "I:testing PKCS#11 key destroy ($alg)"
ret=0
- $PK11DEL -l robie-$alg-ksk -w0 > /dev/null 2>&1 || ret=1
- $PK11DEL -l robie-$alg-zsk1 -w0 > /dev/null 2>&1 || ret=1
+ $PK11DEL -l "robie-$alg-ksk" -w0 > /dev/null 2>&1 || ret=1
+ $PK11DEL -l "robie-$alg-zsk1" -w0 > /dev/null 2>&1 || ret=1
case $alg in
rsa) id=02 ;;
ecc) id=04 ;;
ecx) id=06 ;;
esac
$PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
- count=`$PK11LIST | grep robie-$alg | wc -l`
- if [ $count != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $count`
+ if [ $ret -ne 0 ]; then echo "I:failed"; fi
+ status=$((status + ret))
+ count=$($PK11LIST | grep -c "robie-$alg" || true)
+ if [ "$count" -ne 0 ]; then echo "I:failed"; fi
+ status=$((status + count))
done
echo "I:exit status: $status"
-[ $status -eq 0 ] || exit 1
+[ "$status" -eq 0 ] || exit 1
./bin/tests/system/pipelined/setup.sh SH 2014,2015,2016,2017,2018,2019,2020
./bin/tests/system/pipelined/tests.sh SH 2014,2015,2016,2017,2018,2019,2020
./bin/tests/system/pkcs11/clean.sh SH 2010,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/pkcs11/prereq.sh SH 2010,2012,2014,2016,2017,2018,2019,2020
./bin/tests/system/pkcs11/setup.sh SH 2010,2012,2013,2014,2016,2017,2018,2019,2020
./bin/tests/system/pkcs11/tests.sh SH 2010,2012,2014,2016,2017,2018,2019,2020
./bin/tests/system/pkcs11/usepkcs11 X 2010,2018,2019,2020
projects / thirdparty / bind9.git / commitdiff
