rm -f dig.out.*
rm -f dsset-*
-rm -f pin
rm -f keyfromlabel.err.* keyfromlabel.out.*
rm -f pkcs11-tool.err.* pkcs11-tool.out.*
rm -f signer.out.*
rm -f ns1/*.example.db ns1/*.example.db.signed
+rm -f ns1/*.kasp.db ns1/*.kasp.db.signed
rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2
rm -f ns1/dig.out.*
rm -f ns1/K*
+rm -f ns1/keygen.out.*
rm -f ns1/named.conf ns1/named.args ns1/named.run ns1/named.memstats
+rm -f ns1/pin
rm -f ns1/update.cmd.*
rm -f ns1/update.log.*
rm -f ns1/verify.out.*
-rm -f ns1/zone.*.signed.jnl ns1/zone.*.signed.jbk
+rm -f ns1/zone.*.jnl ns1/zone.*.jbk
OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || echo_i "softhsm2-enginepkcs11 token not found for cleaning"
OPENSSL_CONF= softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
-printf '%s' "${HSMPIN:-1234}" >pin
parse_openssl_config
+printf '%s' "${HSMPIN:-1234}" >ns1/pin
PWD=$(pwd)
copy_setports ns1/named.conf.in ns1/named.conf
label="${id}-${zone}"
p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
- OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
+ OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/ns1/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
}
keyfromlabel() {
dir="$4"
shift 4
- $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
+ $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
}
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
+ tld="example"
if $SHELL ../testcrypto.sh $alg; then
- zone="$alg.example"
- zonefile="zone.$alg.example.db"
+ zone="$alg.$tld"
+ zonefile="zone.$alg.$tld.db"
ret=0
echo_i "Generate keys $alg $type:$bits for zone $zone"
cp "${ksk2}.key" "${ksk2}.ksk2"
)
+ echo_i "Add zone $alg.kasp to named.conf"
+ cp $infile ${dir}/zone.${alg}.kasp.db
+
echo_i "Add zone $zone to named.conf"
cat >>"${dir}/named.conf" <<EOF
zone "$zone" {
allow-update { any; };
};
+dnssec-policy "$alg" {
+ keys {
+ ksk key-store "hsm" lifetime unlimited algorithm ${alg};
+ zsk key-store "pin" lifetime unlimited algorithm ${alg};
+ };
+};
+
+zone "${alg}.kasp" {
+ type primary;
+ file "zone.${alg}.kasp.db";
+ dnssec-policy "$alg";
+ allow-update { any; };
+};
+
EOF
fi
done
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
)
+check_keys() {
+ _zone=$1
+ _expect=$2
+ _ret=0
+ _status=0
+ _count=$(ls K*.key | grep "K${_zone}" | wc -l)
+
+ test "$_count" -eq "$_expect" || ret=1
+ test "$_ret" -eq 0 || echo_i "failed (expected $_expect keys, got $_count)"
+ _status=$((_status + _ret))
+
+ _ret=0
+ _count=$(cat K${_zone}*.private | grep Label | wc -l)
+ test "$_count" -eq "$_expect" || _ret=1
+ test "$_ret" -eq 0 || echo_i "failed (expected Label metadata in key files)"
+ _status=$((_status + _ret))
+
+ return $_status
+}
+
# Perform tests inside ns1 dir
cd ns1
n=$((n + 1))
ret=0
echo_i "Test key generation was successful for $zone ($n)"
- count=$(ls K*.key | grep "K${zone}" | wc -l)
- test "$count" -eq 4 || ret=1
- test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
+ check_keys $zone 4 || ret=1
status=$((status + ret))
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
status=$((status + ret))
+ # Check dnssec-policy interaction.
+ zone="${alg}.kasp"
+
+ # Basic checks if setup was successful (dnssec-policy).
+ n=$((n + 1))
+ ret=0
+ echo_i "Test key generation was successful for $zone ($n)"
+ check_keys $zone 2 || ret=1
+ status=$((status + ret))
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Test DNSKEY response for $zone ($n)"
+ _dig_policy_dnskey() {
+ dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
+ count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
+ test $count -eq 2
+ }
+ retry_quiet 2 _dig_policy_dnskey || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 2 DNSKEY records)"
+ status=$((status + ret))
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Test SOA response for $zone ($n)"
+ _dig_policy_soa() {
+ dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
+ awk '$4 == "RRSIG" && $5 == "SOA" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
+ numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+ test $numsigs -eq 1 || return 1
+ return 0
+ }
+ retry_quiet 2 _dig_policy_soa || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected a SOA RRSIG record)"
+ status=$((status + ret))
+
+ # Check dnssec-keygen with dnssec-policy and key-store.
+ zone="${alg}.keygen"
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Test dnssec-keygen for $zone ($n)"
+ $KEYGEN $ENGINE_ARG -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1
+ check_keys $zone 2 || ret=1
+ status=$((status + ret))
+
done
# Go back to main test dir.
projects / thirdparty / bind9.git / commitdiff
