From: Ondřej Surý Date: Thu, 30 Apr 2020 12:53:40 +0000 (+0200) Subject: Refactor the pkcs11 to test for individual algorithms X-Git-Tag: v9.17.2~108^2~5 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=a6bdb9639a31cb9237912e033d06cf3f9da4485c;p=thirdparty%2Fbind9.git Refactor the pkcs11 to test for individual algorithms --- diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh index b974708b1c9..7c44ce265bc 100644 --- a/bin/tests/system/cleanpkcs11.sh +++ b/bin/tests/system/cleanpkcs11.sh @@ -9,9 +9,6 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=. -. $SYSTEMTESTTOP/conf.sh +. "$SYSTEMTESTTOP/conf.sh" -if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi - -$PK11DEL -w0 > /dev/null 2>&1 +[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1 diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh index a3c1ab3a120..ffdbec76f67 100644 --- a/bin/tests/system/pkcs11/clean.sh +++ b/bin/tests/system/pkcs11/clean.sh @@ -12,9 +12,8 @@ set -e rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl -rm -f dig.out* pin upd.log* -rm -f ns1/*.key ns1/named.memstats +rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out* +rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats rm -f supported -rm -f ns*/named.run -rm -f ns*/named.lock +rm -f ns*/named.run ns*/named.lock ns*/named.conf rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf.in similarity index 66% rename from bin/tests/system/pkcs11/ns1/named.conf rename to bin/tests/system/pkcs11/ns1/named.conf.in index 0e96eda38a7..a4a51b357cf 100644 --- a/bin/tests/system/pkcs11/ns1/named.conf +++ b/bin/tests/system/pkcs11/ns1/named.conf.in @@ -15,7 +15,7 @@ options { query-source address 10.53.0.1; notify-source 10.53.0.1; transfer-source 10.53.0.1; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; @@ -30,23 +30,5 @@ key rndc_key { }; controls { - inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; }; -}; - -zone "rsa.example." { - type master; - file "rsa.example.db.signed"; - allow-update { any; }; -}; - -zone "ecc.example." { - type master; - file "ecc.example.db.signed"; - allow-update { any; }; -}; - -zone "ecx.example." { - type master; - file "ecx.example.db.signed"; - allow-update { any; }; + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh index 946edb1b34f..2787ad1a805 100644 --- a/bin/tests/system/pkcs11/setup.sh +++ b/bin/tests/system/pkcs11/setup.sh @@ -9,105 +9,83 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -set -e +set -eu # shellcheck source=conf.sh -. $SYSTEMTESTTOP/conf.sh +. "$SYSTEMTESTTOP/conf.sh" -echo "I:(Native PKCS#11)" >&2 -ecxfail=0 - -$SHELL ../testcrypto.sh -q eddsa || ecxfail=1 - -rm -f supported -touch supported -echo rsa >> supported -echo ecc >> supported -if [ $ecxfail = 0 ]; then - echo ecx >> supported -fi +echo_i "Generating keys for Native PKCS#11" >&2 infile=ns1/example.db.in printf '%s' "${HSMPIN:-1234}" > pin PWD=$(pwd) -zone=rsa.example -zonefile=ns1/rsa.example.db -have_rsa=$(grep rsa supported || true) -if [ "x$have_rsa" != "x" ]; then - $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01 - $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02 - $PK11GEN -a RSA -b 2048 -l robie-rsa-ksk - - rsazsk1=$($KEYFRLAB -a RSASHA1 \ - -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example) - rsazsk2=$($KEYFRLAB -a RSASHA1 \ - -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example) - rsaksk=$($KEYFRLAB -a RSASHA1 -f ksk \ - -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example) - - cat $infile "$rsazsk1".key "$rsaksk".key > $zonefile - $SIGNER -a -P -g -o $zone $zonefile \ - > /dev/null 2> signer.err || cat signer.err - cp "$rsazsk2".key ns1/rsa.key - mv Krsa* ns1 -else - # RSA not available and will not be tested; make a placeholder - cp $infile ${zonefile}.signed -fi - -zone=ecc.example -zonefile=ns1/ecc.example.db -have_ecc=$(grep ecc supported || true) -if [ "x$have_ecc" != "x" ]; then - $PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03 - $PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04 - $PK11GEN -a ECC -b 384 -l robie-ecc-ksk - - ecczsk1=$($KEYFRLAB -a ECDSAP256SHA256 \ - -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example) - ecczsk2=$($KEYFRLAB -a ECDSAP256SHA256 \ - -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example) - eccksk=$($KEYFRLAB -a ECDSAP384SHA384 -f ksk \ - -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example) - - cat $infile "$ecczsk1".key "$eccksk".key > $zonefile - $SIGNER -a -P -g -o $zone $zonefile \ - > /dev/null 2> signer.err || cat signer.err - cp "$ecczsk2".key ns1/ecc.key - mv Kecc* ns1 -else - # ECC not available and will not be tested; make a placeholder - cp $infile ${zonefile}.signed -fi - -zone=ecx.example -zonefile=ns1/ecx.example.db -have_ecx=$(grep ecx supported || true) -if [ "x$have_ecx" != "x" ]; then - $PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05 - $PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06 - $PK11GEN -a ECX -b 256 -l robie-ecx-ksk -# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk - - ecxzsk1=$($KEYFRLAB -a ED25519 \ - -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example) - ecxzsk2=$($KEYFRLAB -a ED25519 \ - -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example) - ecxksk=$($KEYFRLAB -a ED25519 -f ksk \ - -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example) -# ecxksk=`$KEYFRLAB -a ED448 -f ksk \ -# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example` - - cat $infile "$ecxzsk1".key "$ecxksk".key > $zonefile - $SIGNER -a -P -g -o $zone $zonefile \ - > /dev/null 2> signer.err || cat signer.err - cp "$ecxzsk2".key ns1/ecx.key - mv Kecx* ns1 -else - # ECX not available and will not be tested; make a placeholder - cp $infile ${zonefile}.signed -fi - -rm -f signer.err +copy_setports ns1/named.conf.in ns1/named.conf + +get_random() { + dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An +} + +genpkcs() ( + alg="$1" + bits="$2" + label="$3" + id="$(get_random)" + + $PK11DEL -l "$label" -w0 >/dev/null || true + $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null +) + +keyfrlab() ( + alg="$1" + bits="$2" + label="$3" + zone="$4" + shift 4 + + $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone" +) + +genzsk() ( + genpkcs "$@" + keyfrlab "$@" +) + +genksk() ( + genpkcs "$@" + keyfrlab "$@" -f ksk +) + +algs= +for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do + alg=$(echo "$algbits" | cut -f 1 -d :) + bits=$(echo "$algbits" | cut -f 2 -d :) + zone="$alg.example" + zonefile="ns1/$alg.example.db" + if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then + echo "$alg" >> supported + algs="$algs$alg " + + zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone") + zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone") + ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone") + ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone") + + cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile" + $SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null + cp "$zsk2.key" "ns1/$alg.zsk" + cp "$ksk2.key" "ns1/$alg.ksk" + mv "K$alg"* ns1/ + + cat >> ns1/named.conf < "dig.out.$rrtype.$alg" && + count=$(count_rrsigs "dig.out.$rrtype.$alg") && + test "$count" -gt "$count0" +) + +test_done() { + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + ret=0 } status=0 ret=0 -algs="" -have_rsa=$(grep rsa supported || true) -if [ "x$have_rsa" != "x" ]; then - algs="rsa " -fi -have_ecc=$(grep ecc supported || true) -if [ "x$have_ecc" != "x" ]; then - algs=$algs"ecc " -fi -have_ecx=$(grep ecx supported || true) -if [ "x$have_ecx" != "x" ]; then - algs=$algs"ecx " -fi - -for alg in $algs; do - zonefile=ns1/$alg.example.db - echo "I:testing PKCS#11 key generation ($alg)" - count=$($PK11LIST | grep -c "robie-$alg-ksk" || true) - if [ "$count" -ne 2 ]; then echo "I:failed"; status=1; fi - - echo "I:testing offline signing with PKCS#11 keys ($alg)" - - count=$(grep -c RRSIG "$zonefile.signed" || true) - if [ "$count" -ne 12 ]; then echo "I:failed"; status=1; fi - - echo "I:testing inline signing with PKCS#11 keys ($alg)" - - dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg.0" || ret=1 - if [ $ret -ne 0 ]; then echo "I:failed"; fi - status=$((status + ret)) - count0=$(grep -c RRSIG "dig.out.$alg.0" || true) - - $NSUPDATE -v > "upd.log.$alg" < "dig.out.SOA.$alg.0" || ret=1 + countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0") + new_zsk=$(grep -v ';' "ns1/$alg.zsk") + + cat > "upd.cmd.ZSK.$alg" < "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1 - dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg" || ret=1 - if [ $ret -ne 0 ]; then echo "I:failed"; fi - status=$((status + ret)) - count=$(grep -c RRSIG "dig.out.$alg" || true) - if [ "$count" -le "$count0" ]; then echo "I:failed"; status=1; fi + retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1 + test_done - echo "I:testing PKCS#11 key destroy ($alg)" - ret=0 - $PK11DEL -l "robie-$alg-ksk" -w0 > /dev/null 2>&1 || ret=1 - $PK11DEL -l "robie-$alg-zsk1" -w0 > /dev/null 2>&1 || ret=1 - case $alg in - rsa) id=02 ;; - ecc) id=04 ;; - ecx) id=06 ;; - esac - $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1 - if [ $ret -ne 0 ]; then echo "I:failed"; fi - status=$((status + ret)) - count=$($PK11LIST | grep -c "robie-$alg" || true) - if [ "$count" -ne 0 ]; then echo "I:failed"; fi - status=$((status + count)) -done - -echo "I:exit status: $status" + echo_i "testing inline signing with new PKCS#11 KSK ($alg)" + + dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1 + countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0") + new_ksk=$(grep -v ';' "ns1/$alg.ksk") + + cat > "upd.cmd.KSK.$alg" < "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1 + + retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1 + test_done + + echo_i "testing PKCS#11 key destroy ($alg)" + + # Lookup all existing keys + echo_i "looking up all existing keys ($alg)" + $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1 + test_done + + echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)" + $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1 + test_done + + echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)" + $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1 + test_done + + id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg") + echo_i "destroying key with $id id ($alg)" + if [ -n "$id" ]; then + $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1 + else + ret=1 + fi + test_done + + id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg") + echo_i "destroying key with $id id ($alg)" + if [ -n "$id" ]; then + $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1 + else + ret=1 + fi + test_done + + echo_i "checking if all keys have been destroyed ($alg)" + $PK11LIST > "pkcs11-list.out.$alg" || ret=1 + count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true) + [ "$count" -eq 0 ] || ret=1 + test_done + n=$((n+1)) +done < supported + +echo_i "Checking if all supported algorithms were tested" +[ "$n" -eq "$(wc -l < supported)" ] || ret=1 +test_done + +echo_i "exit status: $status" [ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index ae085c1a20c..c4d34ad7c3c 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -29,11 +29,27 @@ while test "$#" -gt 0; do alg="-a RSASHA1" msg="RSA cryptography" ;; - ecdsa|ECDSA) - alg="-a ecdsap256sha256" + rsasha256|RSASHA256) + alg="-a RSASHA256" + msg="RSA cryptography" + ;; + rsasha512|RSASHA512) + alg="-a RSASHA512" + msg="RSA cryptography" + ;; + ecdsa|ECDSA|ecdsap256sha256|ECDSAP256SHA256) + alg="-a ECDSAP256SHA256" msg="ECDSA cryptography" ;; - eddsa|EDDSA) + ecdsap384sha384|ECDSAP384SHA384) + alg="-a ECDSAP384SHA384" + msg="ECDSA cryptography" + ;; + eddsa|EDDSA|ed25519|ED25519) + alg="-a ED25519" + msg="EDDSA cryptography" + ;; + ed448|ED448) alg="-a ED25519" msg="EDDSA cryptography" ;;