+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-# shellcheck source=conf.sh
-. ../conf.sh
-
-PWD=$(pwd)
-
-keygen() {
- type="$1"
- bits="$2"
- zone="$3"
- id="$4"
-
- label="${id}-${zone}"
- p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
- pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id || return 1
-}
-
-keyfromlabel() {
- alg="$1"
- zone="$2"
- id="$3"
- shift 3
-
- $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>>/dev/null || return 1
- cat keyfromlabel.out.$zone.$id
-}
-
-infile="template.db.in"
-for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
- ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
- # ed25519:EC:edwards25519 ed448:EC:edwards448
- alg=$(echo "$algtypebits" | cut -f 1 -d :)
- type=$(echo "$algtypebits" | cut -f 2 -d :)
- bits=$(echo "$algtypebits" | cut -f 3 -d :)
-
- if $SHELL ../testcrypto.sh $alg; then
- zone="$alg.example"
- zonefile="zone.$alg.example.db"
- ret=0
-
- echo_i "Generate keys $alg $type:$bits for zone $zone"
- keygen $type $bits $zone keyfromlabel-zsk || ret=1
- keygen $type $bits $zone keyfromlabel-ksk || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status + ret))
-
- # Skip dnssec-keyfromlabel if key generation failed.
- test $ret -eq 0 || continue
-
- echo_i "Get ZSK $alg $zone $type:$bits"
- ret=0
- zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk)
- test -z "$zsk" && ret=1
- test "$ret" -eq 0 || echo_i "failed (zsk=$zsk)"
- status=$((status + ret))
-
- echo_i "Get KSK $alg $zone $type:$bits"
- ret=0
- ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK)
- test -z "$ksk" && ret=1
- test "$ret" -eq 0 || echo_i "failed (ksk=$ksk)"
- status=$((status + ret))
-
- # Skip signing if dnssec-keyfromlabel failed.
- test $ret -eq 0 || continue
-
- echo_i "Sign zone with $ksk $zsk"
- ret=0
- cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
- $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status + ret))
- fi
-done
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import hashlib
+import os
+import re
+import shutil
+
+import pytest
+
+import isctest.mark
+
+
+pytestmark = [
+ isctest.mark.supported_openssl_version,
+ isctest.mark.softhsm2_environment,
+ pytest.mark.extra_artifacts(
+ [
+ "*.example.db",
+ "*.example.db.signed",
+ "K*",
+ "dsset-*",
+ "keyfromlabel.out.*",
+ "pin",
+ "pkcs11-tool.out.*",
+ "signer.out.*",
+ ],
+ ),
+]
+
+
+EMPTY_OPENSSL_CONF_ENV = {**os.environ, "OPENSSL_CONF": ""}
+
+HSMPIN = "1234"
+
+
+@pytest.fixture(autouse=True)
+def token_init_and_cleanup():
+
+ # Create pin file for the $KEYFRLAB command
+ with open("pin", "w", encoding="utf-8") as pinfile:
+ pinfile.write(HSMPIN)
+
+ token_init_command = [
+ "softhsm2-util",
+ "--init-token",
+ "--free",
+ "--pin",
+ HSMPIN,
+ "--so-pin",
+ HSMPIN,
+ "--label",
+ "softhsm2-keyfromlabel",
+ ]
+
+ token_cleanup_command = [
+ "softhsm2-util",
+ "--delete-token",
+ "--token",
+ "softhsm2-keyfromlabel",
+ ]
+
+ isctest.run.cmd(
+ token_cleanup_command,
+ env=EMPTY_OPENSSL_CONF_ENV,
+ log_stderr=False,
+ raise_on_exception=False,
+ )
+
+ try:
+ output = isctest.run.cmd(
+ token_init_command, env=EMPTY_OPENSSL_CONF_ENV, log_stdout=True
+ ).stdout.decode("utf-8")
+ assert "The token has been initialized and is reassigned to slot" in output
+ yield
+ finally:
+ output = isctest.run.cmd(
+ token_cleanup_command, env=EMPTY_OPENSSL_CONF_ENV, log_stdout=True
+ ).stdout.decode("utf-8")
+ assert re.search("Found token (.*) with matching token label", output)
+ assert re.search("The token (.*) has been deleted", output)
+
+
+# pylint: disable-msg=too-many-locals
+@pytest.mark.parametrize(
+ "alg_name,alg_type,alg_bits",
+ [
+ ("rsasha256", "rsa", "2048"),
+ ("rsasha512", "rsa", "2048"),
+ ("ecdsap256sha256", "EC", "prime256v1"),
+ ("ecdsap384sha384", "EC", "prime384v1"),
+ # Edwards curves are not yet supported by OpenSC
+ # ("ed25519","EC","edwards25519"),
+ # ("ed448","EC","edwards448")
+ ],
+)
+def test_keyfromlabel(alg_name, alg_type, alg_bits):
+
+ def keygen(alg_type, alg_bits, zone, key_id):
+ label = f"{key_id}-{zone}"
+ p11_id = hashlib.sha1(label.encode("utf-8")).hexdigest()
+
+ pkcs11_command = [
+ "pkcs11-tool",
+ "--module",
+ os.environ.get("SOFTHSM2_MODULE"),
+ "--token-label",
+ "softhsm2-keyfromlabel",
+ "-l",
+ "-k",
+ "--key-type",
+ f"{alg_type}:{alg_bits}",
+ "--label",
+ label,
+ "--id",
+ p11_id,
+ "--pin",
+ HSMPIN,
+ ]
+
+ output = isctest.run.cmd(
+ pkcs11_command, env=EMPTY_OPENSSL_CONF_ENV, log_stdout=True
+ ).stdout.decode("utf-8")
+
+ assert "Key pair generated" in output
+
+ def keyfromlabel(alg_name, zone, key_id, key_flag):
+ key_flag = key_flag.split() if key_flag else []
+
+ keyfrlab_command = [
+ os.environ["KEYFRLAB"],
+ "-E",
+ "pkcs11",
+ "-a",
+ alg_name,
+ "-l",
+ f"pkcs11:token=softhsm2-keyfromlabel;object={key_id}-{zone};pin-source=pin",
+ *key_flag,
+ zone,
+ ]
+
+ output = isctest.run.cmd(keyfrlab_command, log_stdout=True)
+ output_decoded = output.stdout.decode("utf-8").rstrip() + ".key"
+
+ assert os.path.exists(output_decoded)
+
+ return output_decoded
+
+ if (
+ isctest.run.cmd(
+ [os.environ["SHELL"], "../testcrypto.sh", alg_name],
+ raise_on_exception=False,
+ ).returncode
+ != 0
+ ):
+ pytest.skip(f"{alg_name} is not supported")
+
+ # Generate keys for the $zone zone
+ zone = f"{alg_name}.example"
+
+ keygen(alg_type, alg_bits, zone, "keyfromlabel-zsk")
+ keygen(alg_type, alg_bits, zone, "keyfromlabel-ksk")
+
+ # Get ZSK
+ zsk_file = keyfromlabel(alg_name, zone, "keyfromlabel-zsk", "")
+
+ # Get KSK
+ ksk_file = keyfromlabel(alg_name, zone, "keyfromlabel-ksk", "-f KSK")
+
+ # Sign zone with KSK and ZSK
+ zone_file = f"zone.{alg_name}.example.db"
+
+ with open(zone_file, "w", encoding="utf-8") as outfile:
+ for f in ["template.db.in", ksk_file, zsk_file]:
+ with open(f, "r", encoding="utf-8") as fd:
+ shutil.copyfileobj(fd, outfile)
+
+ signer_command = [
+ os.environ["SIGNER"],
+ "-E",
+ "pkcs11",
+ "-S",
+ "-a",
+ "-g",
+ "-o",
+ zone,
+ zone_file,
+ ]
+ isctest.run.cmd(signer_command, log_stdout=True)
+
+ assert os.path.exists(f"{zone_file}.signed")
projects / thirdparty / bind9.git / commitdiff
