summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/pkcs11
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/pkcs11')
-rw-r--r--bin/tests/system/pkcs11/clean.sh16
-rw-r--r--bin/tests/system/pkcs11/ns1/example.db.in22
-rw-r--r--bin/tests/system/pkcs11/ns1/named.conf51
-rw-r--r--bin/tests/system/pkcs11/prereq.sh36
-rw-r--r--bin/tests/system/pkcs11/setup.sh98
-rw-r--r--bin/tests/system/pkcs11/tests.sh87
-rw-r--r--bin/tests/system/pkcs11/usepkcs111
7 files changed, 311 insertions, 0 deletions
diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh
new file mode 100644
index 0000000..f5be432
--- /dev/null
+++ b/bin/tests/system/pkcs11/clean.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
+rm -f dig.out* pin upd.log*
+rm -f ns1/*.key ns1/named.memstats
+rm -f supported
+rm -f ns*/named.lock
diff --git a/bin/tests/system/pkcs11/ns1/example.db.in b/bin/tests/system/pkcs11/ns1/example.db.in
new file mode 100644
index 0000000..95d2a63
--- /dev/null
+++ b/bin/tests/system/pkcs11/ns1/example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns root (
+ 2000082401 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.1
+
+txt TXT "recursed"
+
diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf
new file mode 100644
index 0000000..5ac9a2f
--- /dev/null
+++ b/bin/tests/system/pkcs11/ns1/named.conf
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "rsa.example." {
+ type master;
+ file "rsa.example.db.signed";
+ allow-update { any; };
+};
+
+zone "ecc.example." {
+ type master;
+ file "ecc.example.db.signed";
+ allow-update { any; };
+};
+
+zone "ecx.example." {
+ type master;
+ file "ecx.example.db.signed";
+ allow-update { any; };
+};
diff --git a/bin/tests/system/pkcs11/prereq.sh b/bin/tests/system/pkcs11/prereq.sh
new file mode 100644
index 0000000..0eb3b78
--- /dev/null
+++ b/bin/tests/system/pkcs11/prereq.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+echo "I:(Native PKCS#11)" >&2
+rsafail=0 eccfail=0 ecxfail=0
+
+$SHELL ../testcrypto.sh -q rsa || rsafail=1
+$SHELL ../testcrypto.sh -q ecdsa || eccfail=1
+$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
+
+if [ $rsafail = 1 -a $eccfail = 1 ]; then
+ echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2
+ exit 255
+fi
+rm -f supported
+touch supported
+if [ $rsafail = 0 ]; then
+ echo rsa >> supported
+fi
+if [ $eccfail = 0 ]; then
+ echo ecc >> supported
+fi
+if [ $ecxfail = 0 ]; then
+ echo ecx >> supported
+fi
diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh
new file mode 100644
index 0000000..4fc5ec5
--- /dev/null
+++ b/bin/tests/system/pkcs11/setup.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+infile=ns1/example.db.in
+
+/bin/echo -n ${HSMPIN:-1234}> pin
+PWD=`pwd`
+
+zone=rsa.example
+zonefile=ns1/rsa.example.db
+have_rsa=`grep rsa supported`
+if [ "x$have_rsa" != "x" ]; then
+ $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
+ $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
+ $PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
+
+ rsazsk1=`$KEYFRLAB -a RSASHA1 \
+ -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example`
+ rsazsk2=`$KEYFRLAB -a RSASHA1 \
+ -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example`
+ rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
+ -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example`
+
+ cat $infile $rsazsk1.key $rsaksk.key > $zonefile
+ $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+ > /dev/null 2> signer.err || cat signer.err
+ cp $rsazsk2.key ns1/rsa.key
+ mv Krsa* ns1
+else
+ # RSA not available and will not be tested; make a placeholder
+ cp $infile ${zonefile}.signed
+fi
+
+zone=ecc.example
+zonefile=ns1/ecc.example.db
+have_ecc=`grep ecc supported`
+if [ "x$have_ecc" != "x" ]; then
+ $PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
+ $PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
+ $PK11GEN -a ECC -b 384 -l robie-ecc-ksk
+
+ ecczsk1=`$KEYFRLAB -a ECDSAP256SHA256 \
+ -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example`
+ ecczsk2=`$KEYFRLAB -a ECDSAP256SHA256 \
+ -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example`
+ eccksk=`$KEYFRLAB -a ECDSAP384SHA384 -f ksk \
+ -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example`
+
+ cat $infile $ecczsk1.key $eccksk.key > $zonefile
+ $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+ > /dev/null 2> signer.err || cat signer.err
+ cp $ecczsk2.key ns1/ecc.key
+ mv Kecc* ns1
+else
+ # ECC not available and will not be tested; make a placeholder
+ cp $infile ${zonefile}.signed
+fi
+
+zone=ecx.example
+zonefile=ns1/ecx.example.db
+have_ecx=`grep ecx supported`
+if [ "x$have_ecx" != "x" ]; then
+ $PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
+ $PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
+ $PK11GEN -a ECX -b 256 -l robie-ecx-ksk
+# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
+
+ ecxzsk1=`$KEYFRLAB -a ED25519 \
+ -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example`
+ ecxzsk2=`$KEYFRLAB -a ED25519 \
+ -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example`
+ ecxksk=`$KEYFRLAB -a ED25519 -f ksk \
+ -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
+# ecxksk=`$KEYFRLAB -a ED448 -f ksk \
+# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
+
+ cat $infile $ecxzsk1.key $ecxksk.key > $zonefile
+ $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+ > /dev/null 2> signer.err || cat signer.err
+ cp $ecxzsk2.key ns1/ecx.key
+ mv Kecx* ns1
+else
+ # ECX not available and will not be tested; make a placeholder
+ cp $infile ${zonefile}.signed
+fi
+
+rm -f signer.err
diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh
new file mode 100644
index 0000000..cf3b549
--- /dev/null
+++ b/bin/tests/system/pkcs11/tests.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+status=0
+ret=0
+
+algs=""
+have_rsa=`grep rsa supported`
+if [ "x$have_rsa" != "x" ]; then
+ algs="rsa "
+fi
+have_ecc=`grep ecc supported`
+if [ "x$have_ecc" != "x" ]; then
+ algs=$algs"ecc "
+fi
+have_ecx=`grep ecc supported`
+if [ "x$have_ecx" != "x" ]; then
+ algs=$algs"ecx "
+fi
+
+for alg in $algs; do
+ zonefile=ns1/$alg.example.db
+ echo "I:testing PKCS#11 key generation ($alg)"
+ count=`$PK11LIST | grep robie-$alg-ksk | wc -l`
+ if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+
+ echo "I:testing offline signing with PKCS#11 keys ($alg)"
+
+ count=`grep RRSIG $zonefile.signed | wc -l`
+ if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+
+ echo "I:testing inline signing with PKCS#11 keys ($alg)"
+
+ $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg.0 || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ count0=`grep RRSIG dig.out.$alg.0 | wc -l`
+
+ $NSUPDATE -v > upd.log.$alg <<END || status=1
+server 10.53.0.1 5300
+ttl 300
+zone $alg.example.
+update add `grep -v ';' ns1/${alg}.key`
+send
+END
+
+ echo "I:waiting 20 seconds for key changes to take effect"
+ sleep 20
+
+ $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ count=`grep RRSIG dig.out.$alg | wc -l`
+ if [ $count -le $count0 ]; then echo "I:failed"; status=1; fi
+
+ echo "I:testing PKCS#11 key destroy ($alg)"
+ ret=0
+ $PK11DEL -l robie-$alg-ksk -w0 > /dev/null 2>&1 || ret=1
+ $PK11DEL -l robie-$alg-zsk1 -w0 > /dev/null 2>&1 || ret=1
+ case $alg in
+ rsa) id=02 ;;
+ ecc) id=04 ;;
+ ecx) id=06 ;;
+ esac
+ $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ count=`$PK11LIST | grep robie-$alg | wc -l`
+ if [ $count != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $count`
+done
+
+echo "I:exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/pkcs11/usepkcs11 b/bin/tests/system/pkcs11/usepkcs11
new file mode 100644
index 0000000..ef46412
--- /dev/null
+++ b/bin/tests/system/pkcs11/usepkcs11
@@ -0,0 +1 @@
+This test relies on PKCS#11!