# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
-SYSTEMTESTTOP=.
-. $SYSTEMTESTTOP/conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
-if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
-
-$PK11DEL -w0 > /dev/null 2>&1
+[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1
set -e
rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
-rm -f dig.out* pin upd.log*
-rm -f ns1/*.key ns1/named.memstats
+rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out*
+rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats
rm -f supported
-rm -f ns*/named.run
-rm -f ns*/named.lock
+rm -f ns*/named.run ns*/named.lock ns*/named.conf
rm -f ns*/managed-keys.bind*
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
- port 5300;
+ port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
};
controls {
- inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
-};
-
-zone "rsa.example." {
- type master;
- file "rsa.example.db.signed";
- allow-update { any; };
-};
-
-zone "ecc.example." {
- type master;
- file "ecc.example.db.signed";
- allow-update { any; };
-};
-
-zone "ecx.example." {
- type master;
- file "ecx.example.db.signed";
- allow-update { any; };
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
-set -e
+set -eu
# shellcheck source=conf.sh
-. $SYSTEMTESTTOP/conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
-echo "I:(Native PKCS#11)" >&2
-ecxfail=0
-
-$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
-
-rm -f supported
-touch supported
-echo rsa >> supported
-echo ecc >> supported
-if [ $ecxfail = 0 ]; then
- echo ecx >> supported
-fi
+echo_i "Generating keys for Native PKCS#11" >&2
infile=ns1/example.db.in
printf '%s' "${HSMPIN:-1234}" > pin
PWD=$(pwd)
-zone=rsa.example
-zonefile=ns1/rsa.example.db
-have_rsa=$(grep rsa supported || true)
-if [ "x$have_rsa" != "x" ]; then
- $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
- $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
- $PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
-
- rsazsk1=$($KEYFRLAB -a RSASHA1 \
- -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example)
- rsazsk2=$($KEYFRLAB -a RSASHA1 \
- -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example)
- rsaksk=$($KEYFRLAB -a RSASHA1 -f ksk \
- -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example)
-
- cat $infile "$rsazsk1".key "$rsaksk".key > $zonefile
- $SIGNER -a -P -g -o $zone $zonefile \
- > /dev/null 2> signer.err || cat signer.err
- cp "$rsazsk2".key ns1/rsa.key
- mv Krsa* ns1
-else
- # RSA not available and will not be tested; make a placeholder
- cp $infile ${zonefile}.signed
-fi
-
-zone=ecc.example
-zonefile=ns1/ecc.example.db
-have_ecc=$(grep ecc supported || true)
-if [ "x$have_ecc" != "x" ]; then
- $PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
- $PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
- $PK11GEN -a ECC -b 384 -l robie-ecc-ksk
-
- ecczsk1=$($KEYFRLAB -a ECDSAP256SHA256 \
- -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example)
- ecczsk2=$($KEYFRLAB -a ECDSAP256SHA256 \
- -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example)
- eccksk=$($KEYFRLAB -a ECDSAP384SHA384 -f ksk \
- -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example)
-
- cat $infile "$ecczsk1".key "$eccksk".key > $zonefile
- $SIGNER -a -P -g -o $zone $zonefile \
- > /dev/null 2> signer.err || cat signer.err
- cp "$ecczsk2".key ns1/ecc.key
- mv Kecc* ns1
-else
- # ECC not available and will not be tested; make a placeholder
- cp $infile ${zonefile}.signed
-fi
-
-zone=ecx.example
-zonefile=ns1/ecx.example.db
-have_ecx=$(grep ecx supported || true)
-if [ "x$have_ecx" != "x" ]; then
- $PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
- $PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
- $PK11GEN -a ECX -b 256 -l robie-ecx-ksk
-# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
-
- ecxzsk1=$($KEYFRLAB -a ED25519 \
- -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example)
- ecxzsk2=$($KEYFRLAB -a ED25519 \
- -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example)
- ecxksk=$($KEYFRLAB -a ED25519 -f ksk \
- -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example)
-# ecxksk=`$KEYFRLAB -a ED448 -f ksk \
-# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
-
- cat $infile "$ecxzsk1".key "$ecxksk".key > $zonefile
- $SIGNER -a -P -g -o $zone $zonefile \
- > /dev/null 2> signer.err || cat signer.err
- cp "$ecxzsk2".key ns1/ecx.key
- mv Kecx* ns1
-else
- # ECX not available and will not be tested; make a placeholder
- cp $infile ${zonefile}.signed
-fi
-
-rm -f signer.err
+copy_setports ns1/named.conf.in ns1/named.conf
+
+get_random() {
+ dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An
+}
+
+genpkcs() (
+ alg="$1"
+ bits="$2"
+ label="$3"
+ id="$(get_random)"
+
+ $PK11DEL -l "$label" -w0 >/dev/null || true
+ $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null
+)
+
+keyfrlab() (
+ alg="$1"
+ bits="$2"
+ label="$3"
+ zone="$4"
+ shift 4
+
+ $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"
+)
+
+genzsk() (
+ genpkcs "$@"
+ keyfrlab "$@"
+)
+
+genksk() (
+ genpkcs "$@"
+ keyfrlab "$@" -f ksk
+)
+
+algs=
+for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do
+ alg=$(echo "$algbits" | cut -f 1 -d :)
+ bits=$(echo "$algbits" | cut -f 2 -d :)
+ zone="$alg.example"
+ zonefile="ns1/$alg.example.db"
+ if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then
+ echo "$alg" >> supported
+ algs="$algs$alg "
+
+ zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone")
+ zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone")
+ ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone")
+ ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone")
+
+ cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile"
+ $SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null
+ cp "$zsk2.key" "ns1/$alg.zsk"
+ cp "$ksk2.key" "ns1/$alg.ksk"
+ mv "K$alg"* ns1/
+
+ cat >> ns1/named.conf <<EOF
+zone "$alg.example." {
+ type master;
+ file "$alg.example.db.signed";
+ allow-update { any; };
+};
+
+EOF
+ fi
+done
+echo_i "Generated keys for Native PKCS#11: $algs"
set -e
# shellcheck source=conf.sh
-. $SYSTEMTESTTOP/conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
-dig_with_opts() {
- $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300 "$@"
+count_rrsigs() (
+ grep -c "IN[[:space:]]*RRSIG" "$@" || true
+)
+
+dig_with_opts() (
+ $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+)
+
+dig_for_rr() (
+ alg=$1
+ rrtype=$2
+ count0=$3
+ dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" &&
+ count=$(count_rrsigs "dig.out.$rrtype.$alg") &&
+ test "$count" -gt "$count0"
+)
+
+test_done() {
+ if [ $ret -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ ret=0
}
status=0
ret=0
-algs=""
-have_rsa=$(grep rsa supported || true)
-if [ "x$have_rsa" != "x" ]; then
- algs="rsa "
-fi
-have_ecc=$(grep ecc supported || true)
-if [ "x$have_ecc" != "x" ]; then
- algs=$algs"ecc "
-fi
-have_ecx=$(grep ecx supported || true)
-if [ "x$have_ecx" != "x" ]; then
- algs=$algs"ecx "
-fi
-
-for alg in $algs; do
- zonefile=ns1/$alg.example.db
- echo "I:testing PKCS#11 key generation ($alg)"
- count=$($PK11LIST | grep -c "robie-$alg-ksk" || true)
- if [ "$count" -ne 2 ]; then echo "I:failed"; status=1; fi
-
- echo "I:testing offline signing with PKCS#11 keys ($alg)"
-
- count=$(grep -c RRSIG "$zonefile.signed" || true)
- if [ "$count" -ne 12 ]; then echo "I:failed"; status=1; fi
-
- echo "I:testing inline signing with PKCS#11 keys ($alg)"
-
- dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg.0" || ret=1
- if [ $ret -ne 0 ]; then echo "I:failed"; fi
- status=$((status + ret))
- count0=$(grep -c RRSIG "dig.out.$alg.0" || true)
-
- $NSUPDATE -v > "upd.log.$alg" <<END || status=1
-server 10.53.0.1 5300
+n=0
+while read -r alg; do
+ zonefile=ns1/$alg.example.db
+ echo_i "testing PKCS#11 key generation ($alg)"
+ count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)
+ [ "$count" -eq 4 ] || ret=1
+ test_done
+
+ echo_i "testing offline signing with PKCS#11 keys ($alg)"
+
+ count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed")
+ [ "$count" -eq 9 ] || ret=1
+ test_done
+
+ echo_i "testing inline signing with new PKCS#11 ZSK ($alg)"
+
+ dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1
+ countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0")
+ new_zsk=$(grep -v ';' "ns1/$alg.zsk")
+
+ cat > "upd.cmd.ZSK.$alg" <<EOF
+server 10.53.0.1 $PORT
ttl 300
zone $alg.example.
-update add $(grep -v ';' "ns1/${alg}.key" || true)
+update add $new_zsk
send
-END
+EOF
- echo "I:waiting 20 seconds for key changes to take effect"
- sleep 20
+ $NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1
- dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg" || ret=1
- if [ $ret -ne 0 ]; then echo "I:failed"; fi
- status=$((status + ret))
- count=$(grep -c RRSIG "dig.out.$alg" || true)
- if [ "$count" -le "$count0" ]; then echo "I:failed"; status=1; fi
+ retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1
+ test_done
- echo "I:testing PKCS#11 key destroy ($alg)"
- ret=0
- $PK11DEL -l "robie-$alg-ksk" -w0 > /dev/null 2>&1 || ret=1
- $PK11DEL -l "robie-$alg-zsk1" -w0 > /dev/null 2>&1 || ret=1
- case $alg in
- rsa) id=02 ;;
- ecc) id=04 ;;
- ecx) id=06 ;;
- esac
- $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
- if [ $ret -ne 0 ]; then echo "I:failed"; fi
- status=$((status + ret))
- count=$($PK11LIST | grep -c "robie-$alg" || true)
- if [ "$count" -ne 0 ]; then echo "I:failed"; fi
- status=$((status + count))
-done
-
-echo "I:exit status: $status"
+ echo_i "testing inline signing with new PKCS#11 KSK ($alg)"
+
+ dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1
+ countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0")
+ new_ksk=$(grep -v ';' "ns1/$alg.ksk")
+
+ cat > "upd.cmd.KSK.$alg" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $alg.example.
+update add $new_ksk
+send
+EOF
+
+ $NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1
+
+ retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1
+ test_done
+
+ echo_i "testing PKCS#11 key destroy ($alg)"
+
+ # Lookup all existing keys
+ echo_i "looking up all existing keys ($alg)"
+ $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1
+ test_done
+
+ echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)"
+ $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1
+ test_done
+
+ echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)"
+ $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1
+ test_done
+
+ id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
+ echo_i "destroying key with $id id ($alg)"
+ if [ -n "$id" ]; then
+ $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
+ else
+ ret=1
+ fi
+ test_done
+
+ id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
+ echo_i "destroying key with $id id ($alg)"
+ if [ -n "$id" ]; then
+ $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
+ else
+ ret=1
+ fi
+ test_done
+
+ echo_i "checking if all keys have been destroyed ($alg)"
+ $PK11LIST > "pkcs11-list.out.$alg" || ret=1
+ count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true)
+ [ "$count" -eq 0 ] || ret=1
+ test_done
+ n=$((n+1))
+done < supported
+
+echo_i "Checking if all supported algorithms were tested"
+[ "$n" -eq "$(wc -l < supported)" ] || ret=1
+test_done
+
+echo_i "exit status: $status"
[ "$status" -eq 0 ] || exit 1
alg="-a RSASHA1"
msg="RSA cryptography"
;;
- ecdsa|ECDSA)
- alg="-a ecdsap256sha256"
+ rsasha256|RSASHA256)
+ alg="-a RSASHA256"
+ msg="RSA cryptography"
+ ;;
+ rsasha512|RSASHA512)
+ alg="-a RSASHA512"
+ msg="RSA cryptography"
+ ;;
+ ecdsa|ECDSA|ecdsap256sha256|ECDSAP256SHA256)
+ alg="-a ECDSAP256SHA256"
msg="ECDSA cryptography"
;;
- eddsa|EDDSA)
+ ecdsap384sha384|ECDSAP384SHA384)
+ alg="-a ECDSAP384SHA384"
+ msg="ECDSA cryptography"
+ ;;
+ eddsa|EDDSA|ed25519|ED25519)
+ alg="-a ED25519"
+ msg="EDDSA cryptography"
+ ;;
+ ed448|ED448)
alg="-a ED25519"
msg="EDDSA cryptography"
;;
projects / thirdparty / bind9.git / commitdiff
