# None of these algorithms are supported for signing in FIPS mode
# as they are MD5 and SHA1 based.
#
-if (
- cd ..
- $SHELL ../testcrypto.sh -q RSASHA1
-); then
+if [ $RSASHA1_SUPPORTED = 1 ]; then
setup nsec-only.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out
checkprivate nsec3.optout.example 10.53.0.3 || ret=1
checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed
checkprivate nsec3-to-nsec3.example 10.53.0.3 2 || ret=1 # automatically removed
-if $SHELL ../testcrypto.sh -q RSASHA1; then
+if [ $RSASHA1_SUPPORTED = 1 ]; then
checkprivate nsec-only.example 10.53.0.3 || ret=1
fi
checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed
[ "$del" -eq 0 ] || ret=1
pub=$(grep "DNSKEY .* is now published" ns3/named.run | grep -v "CDNSKEY" | wc -l)
act=$(grep "DNSKEY .* is now active" ns3/named.run | wc -l)
-if $SHELL ../testcrypto.sh -q RSASHA1; then
+if [ $RSASHA1_SUPPORTED = 1 ]; then
# Include two log lines for nsec-only zone.
[ "$pub" -eq 53 ] || ret=1
[ "$act" -eq 53 ] || ret=1
n=$((n + 1))
echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
ret=0
-if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
+if [ $RSASHA1_SUPPORTED = 0 ]; then
conf=kasp-bad-nsec3-iter-fips.conf
expect=2
else
echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
ret=0
$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1
-if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
+if [ $RSASHA1_SUPPORTED = 0 ]; then
grep "dnssec-policy: algorithm rsasha1 not supported" <checkconf.out$n >/dev/null || ret=1
else
grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" <checkconf.out$n >/dev/null || ret=1
ret=0
if ! $FEATURETEST --fips-provider; then
echo_i "skipped no FIPS provider available"
-elif ! $SHELL ../testcrypto.sh -q RSASHA1; then
+elif [ $RSASHA1_SUPPORTED = 0 ]; then
echo_i "skipped: RSASHA1 is not supported"
else
(
echo_i "skipped: already in FIPS mode"
elif ! $FEATURETEST --fips-provider; then
echo_i "skipped no FIPS provider available"
-elif ! $SHELL ../testcrypto.sh -q RSASHA1; then
+elif [ $RSASHA1_SUPPORTED = 0 ]; then
echo_i "skipped: RSASHA1 is not supported"
else
$KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true
echo_i "skipped: already in FIPS mode"
elif ! $FEATURETEST --fips-provider; then
echo_i "skipped: cannot switch to FIPS mode"
-elif ! $SHELL ../testcrypto.sh -q RSASHA1; then
+elif [ $RSASHA1_SUPPORTED = 0 ]; then
echo_i "skipped: RSASHA1 is not supported"
else
$KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true
rm -f ns*/root.db
rm -f ns*/signer.err
rm -f ns*/trusted.conf
-rm -f *-supported.file
cp $infile $zonefile
-if [ -f ../ecdsa256-supported.file ]; then
+if [ $ECDSAP256SHA256_SUPPORTED = 1 ]; then
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256
fi
-if [ -f ../ecdsa384-supported.file ]; then
+if [ $ECDSAP384SHA384_SUPPORTED = 1 ]; then
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >>"$zonefile"
fi
# Configure the resolving server with a static key.
-if [ -f ../ecdsa256-supported.file ]; then
+if [ $ECDSAP256SHA256_SUPPORTED = 1 ]; then
keyfile_to_static_ds $ksk256 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
cp trusted.conf ../ns2/trusted.conf
fi
-if [ -f ../ecdsa384-supported.file ]; then
+if [ $ECDSAP384SHA384_SUPPORTED = 1 ]; then
keyfile_to_static_ds $ksk384 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
. ../conf.sh
-if $SHELL ../testcrypto.sh ecdsap256sha256; then
- echo "yes" >ecdsa256-supported.file
-fi
-
-if $SHELL ../testcrypto.sh ecdsap384sha384; then
- echo "yes" >ecdsa384-supported.file
-fi
-
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
-if [ -f ecdsa256-supported.file ]; then
+if [ $ECDSAP256SHA256_SUPPORTED = 1 ]; then
n=$((n + 1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
echo_i "algorithm ECDSA256 not supported, skipping test"
fi
-if [ -f ecdsa384-supported.file ]; then
+if [ $ECDSAP384SHA384_SUPPORTED = 1 ]; then
n=$((n + 1))
echo_i "checking that ECDSA384 positive validation works ($n)"
ret=0
rm -f ns*/signer.err
rm -f ns*/trusted.conf
rm -f ns*/example.com.db
-rm -f *-supported.file
cp $infile $zonefile
-if [ -f ../ed25519-supported.file ]; then
+if [ $ED25519_SUPPORTED = 1 ]; then
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256
fi
-if [ -f ../ed448-supported.file ]; then
+if [ $ED448_SUPPORTED = 1 ]; then
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >>"$zonefile"
fi
# Configure the resolving server with a static key.
-if [ -f ../ed25519-supported.file ]; then
+if [ $ED25519_SUPPORTED = 1 ]; then
keyfile_to_static_ds $ksk25519 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
cp trusted.conf ../ns2/trusted.conf
fi
-if [ -f ../ed448-supported.file ]; then
+if [ $ED448_SUPPORTED = 1 ]; then
keyfile_to_static_ds $ksk448 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
cp $infile $zonefile
-if [ -f ../ed25519-supported.file ]; then
+if [ $ED25519_SUPPORTED = 1 ]; then
for i in Xexample.com.+015+03613 Xexample.com.+015+35217; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp $infile $zonefile
-if [ -f ../ed448-supported.file ]; then
+if [ $ED448_SUPPORTED = 1 ]; then
for i in Xexample.com.+016+09713 Xexample.com.+016+38353; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
. ../conf.sh
-supported=0
-if $SHELL ../testcrypto.sh ed25519; then
- supported=1
+if [ $ED25519_SUPPORTED = 0 ] && [ $ED448_SUPPORTED = 0 ]; then
+ exit 1
fi
-if $SHELL ../testcrypto.sh ed448; then
- supported=1
-fi
-
-[ "$supported" -eq 1 ] || exit 1
. ../conf.sh
-if $SHELL ../testcrypto.sh ed25519; then
- echo "yes" >ed25519-supported.file
-fi
-
-if $SHELL ../testcrypto.sh ed448; then
- echo "yes" >ed448-supported.file
-fi
-
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
-if [ -f ed25519-supported.file ]; then
+if [ $ED25519_SUPPORTED = 1 ]; then
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed25519 positive validation works ($n)"
n=$((n + 1))
ret=0
-if [ -f ed448-supported.file ]; then
+if [ $ED448_SUPPORTED = 1 ]; then
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed448 positive validation works ($n)"
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
+ alg_upper=$(echo "$alg" | tr '[:lower:]' '[:upper:]')
+ supported=$(eval "echo \$${alg_upper}_SUPPORTED")
tld="example"
- if $SHELL ../testcrypto.sh $alg; then
+ if [ "${supported}" = 1 ]; then
zone="$alg.$tld"
zonefile="zone.$alg.$tld.db"
ret=0
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
+alg_upper=$(echo "$alg" | tr '[:lower:]' '[:upper:]')
+supported=$(eval "echo \$${alg_upper}_SUPPORTED")
tld="views"
-if $SHELL ../testcrypto.sh $alg; then
+if [ "${supported}" = 1 ]; then
zone="$alg.$tld"
zonefile1="zone.$alg.$tld.view1.db"
zonefile2="zone.$alg.$tld.view2.db"
rm -f *.created published.test* retired.test*
rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
rm -f python.out.*
-rm -f *-supported.file
rm -f created.key-* unused.key-*
rm -f ns3/ksk/K* ns3/zsk/K*
rm -rf ./ns3/ksk/ ./ns3/zsk/
# Set up RSASHA1 based zones
#
for zn in rsasha1 rsasha1-nsec3; do
- if (
- cd ..
- $SHELL ../testcrypto.sh -q RSASHA1
- ); then
+ if [ $RSASHA1_SUPPORTED = 1 ]; then
setup "${zn}.kasp"
cp template.db.in "$zonefile"
else
fi
done
-if [ -f ../ed25519-supported.file ]; then
+if [ $ED25519_SUPPORTED = 1 ]; then
setup "ed25519.kasp"
cp template.db.in "$zonefile"
cat ed25519.conf >>named.conf
fi
-if [ -f ../ed448-supported.file ]; then
+if [ $ED448_SUPPORTED = 1 ]; then
setup "ed448.kasp"
cp template.db.in "$zonefile"
cat ed448.conf >>named.conf
mkdir ns3/keys
copy_setports ns2/named.conf.in ns2/named.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+if [ $RSASHA1_SUPPORTED = 0 ]; then
copy_setports ns3/named-fips.conf.in ns3/named.conf
else
copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
-if $SHELL ../testcrypto.sh ed25519; then
- echo "yes" >ed25519-supported.file
-fi
-
-if $SHELL ../testcrypto.sh ed448; then
- echo "yes" >ed448-supported.file
-fi
-
copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf
copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+if [ $RSASHA1_SUPPORTED = 0 ]; then
cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
fi
copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf
copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+if [ $RSASHA1_SUPPORTED = 0 ]; then
cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
fi
#
# Zone: rsasha1.kasp.
#
-if $SHELL ../testcrypto.sh -q RSASHA1; then
+if [ $RSASHA1_SUPPORTED = 1 ]; then
set_zone "rsasha1.kasp"
set_policy "rsasha1" "3" "1234"
set_server "ns3" "10.53.0.3"
#
# Zone: rsasha1-nsec3.kasp.
#
-if $SHELL ../testcrypto.sh -q RSASHA1; then
+if [ $RSASHA1_SUPPORTED = 1 ]; then
set_zone "rsasha1-nsec3.kasp"
set_policy "rsasha1-nsec3" "3" "1234"
set_server "ns3" "10.53.0.3"
#
# Zone: ed25519.kasp.
#
-if [ -f ed25519-supported.file ]; then
+if [ $ED25519_SUPPORTED = 1 ]; then
set_zone "ed25519.kasp"
set_policy "ed25519" "3" "1234"
set_server "ns3" "10.53.0.3"
#
# Zone: ed448.kasp.
#
-if [ -f ed448-supported.file ]; then
+if [ $ED448_SUPPORTED = 1 ]; then
set_zone "ed448.kasp"
set_policy "ed448" "3" "1234"
set_server "ns3" "10.53.0.3"
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
+ alg_upper=$(echo "$alg" | tr '[:lower:]' '[:upper:]')
+ supported=$(eval "echo \$${alg_upper}_SUPPORTED")
- if $SHELL ../testcrypto.sh $alg; then
+ if [ "${supported}" = 1 ]; then
zone="$alg.example"
zonefile="zone.$alg.example.db"
ret=0
setup "${zn}.kasp"
done
-if (
- cd ..
- $SHELL ../testcrypto.sh -q RSASHA1
-); then
+if [ $RSASHA1_SUPPORTED = 1 ]; then
for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \
nsec3-to-rsasha1-ds; do
setup "${zn}.kasp"
$SHELL setup.sh
)
-if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
+if [ $RSASHA1_SUPPORTED = 0 ]; then
copy_setports ns3/named-fips.conf.in ns3/named.conf
else
copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
echo_i "initial check zone ${ZONE}"
check_nsec
-if ($SHELL ../testcrypto.sh -q RSASHA1); then
+if [ $RSASHA1_SUPPORTED = 1 ]; then
# Zone: rsasha1-to-nsec3.kasp.
set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600
set_server "ns3" "10.53.0.3"
# Reconfig named.
ret=0
echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
-if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
+if [ $RSASHA1_SUPPORTED = 0 ]; then
copy_setports ns3/named2-fips.conf.in ns3/named.conf
else
copy_setports ns3/named2-fips.conf.in ns3/named-fips.conf
echo_i "check zone ${ZONE} after reconfig"
check_nsec3
-if ($SHELL ../testcrypto.sh -q RSASHA1); then
+if [ $RSASHA1_SUPPORTED = 1 ]; then
# Zone: rsasha1-to-nsec3.kasp.
set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600
set_server "ns3" "10.53.0.3"
projects / thirdparty / bind9.git / commitdiff
