diff options
Diffstat (limited to 'bin/tests/system/pkcs11')
-rw-r--r-- | bin/tests/system/pkcs11/clean.sh | 16 | ||||
-rw-r--r-- | bin/tests/system/pkcs11/ns1/example.db.in | 22 | ||||
-rw-r--r-- | bin/tests/system/pkcs11/ns1/named.conf | 51 | ||||
-rw-r--r-- | bin/tests/system/pkcs11/prereq.sh | 36 | ||||
-rw-r--r-- | bin/tests/system/pkcs11/setup.sh | 98 | ||||
-rw-r--r-- | bin/tests/system/pkcs11/tests.sh | 87 | ||||
-rw-r--r-- | bin/tests/system/pkcs11/usepkcs11 | 1 |
7 files changed, 311 insertions, 0 deletions
diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh new file mode 100644 index 0000000..f5be432 --- /dev/null +++ b/bin/tests/system/pkcs11/clean.sh @@ -0,0 +1,16 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl +rm -f dig.out* pin upd.log* +rm -f ns1/*.key ns1/named.memstats +rm -f supported +rm -f ns*/named.lock diff --git a/bin/tests/system/pkcs11/ns1/example.db.in b/bin/tests/system/pkcs11/ns1/example.db.in new file mode 100644 index 0000000..95d2a63 --- /dev/null +++ b/bin/tests/system/pkcs11/ns1/example.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "recursed" + diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf new file mode 100644 index 0000000..5ac9a2f --- /dev/null +++ b/bin/tests/system/pkcs11/ns1/named.conf @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; }; +}; + +zone "rsa.example." { + type master; + file "rsa.example.db.signed"; + allow-update { any; }; +}; + +zone "ecc.example." { + type master; + file "ecc.example.db.signed"; + allow-update { any; }; +}; + +zone "ecx.example." { + type master; + file "ecx.example.db.signed"; + allow-update { any; }; +}; diff --git a/bin/tests/system/pkcs11/prereq.sh b/bin/tests/system/pkcs11/prereq.sh new file mode 100644 index 0000000..0eb3b78 --- /dev/null +++ b/bin/tests/system/pkcs11/prereq.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +echo "I:(Native PKCS#11)" >&2 +rsafail=0 eccfail=0 ecxfail=0 + +$SHELL ../testcrypto.sh -q rsa || rsafail=1 +$SHELL ../testcrypto.sh -q ecdsa || eccfail=1 +$SHELL ../testcrypto.sh -q eddsa || ecxfail=1 + +if [ $rsafail = 1 -a $eccfail = 1 ]; then + echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2 + exit 255 +fi +rm -f supported +touch supported +if [ $rsafail = 0 ]; then + echo rsa >> supported +fi +if [ $eccfail = 0 ]; then + echo ecc >> supported +fi +if [ $ecxfail = 0 ]; then + echo ecx >> supported +fi diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh new file mode 100644 index 0000000..4fc5ec5 --- /dev/null +++ b/bin/tests/system/pkcs11/setup.sh @@ -0,0 +1,98 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +infile=ns1/example.db.in + +/bin/echo -n ${HSMPIN:-1234}> pin +PWD=`pwd` + +zone=rsa.example +zonefile=ns1/rsa.example.db +have_rsa=`grep rsa supported` +if [ "x$have_rsa" != "x" ]; then + $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01 + $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02 + $PK11GEN -a RSA -b 2048 -l robie-rsa-ksk + + rsazsk1=`$KEYFRLAB -a RSASHA1 \ + -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example` + rsazsk2=`$KEYFRLAB -a RSASHA1 \ + -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example` + rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \ + -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example` + + cat $infile $rsazsk1.key $rsaksk.key > $zonefile + $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \ + > /dev/null 2> signer.err || cat signer.err + cp $rsazsk2.key ns1/rsa.key + mv Krsa* ns1 +else + # RSA not available and will not be tested; make a placeholder + cp $infile ${zonefile}.signed +fi + +zone=ecc.example +zonefile=ns1/ecc.example.db +have_ecc=`grep ecc supported` +if [ "x$have_ecc" != "x" ]; then + $PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03 + $PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04 + $PK11GEN -a ECC -b 384 -l robie-ecc-ksk + + ecczsk1=`$KEYFRLAB -a ECDSAP256SHA256 \ + -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example` + ecczsk2=`$KEYFRLAB -a ECDSAP256SHA256 \ + -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example` + eccksk=`$KEYFRLAB -a ECDSAP384SHA384 -f ksk \ + -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example` + + cat $infile $ecczsk1.key $eccksk.key > $zonefile + $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \ + > /dev/null 2> signer.err || cat signer.err + cp $ecczsk2.key ns1/ecc.key + mv Kecc* ns1 +else + # ECC not available and will not be tested; make a placeholder + cp $infile ${zonefile}.signed +fi + +zone=ecx.example +zonefile=ns1/ecx.example.db +have_ecx=`grep ecx supported` +if [ "x$have_ecx" != "x" ]; then + $PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05 + $PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06 + $PK11GEN -a ECX -b 256 -l robie-ecx-ksk +# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk + + ecxzsk1=`$KEYFRLAB -a ED25519 \ + -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example` + ecxzsk2=`$KEYFRLAB -a ED25519 \ + -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example` + ecxksk=`$KEYFRLAB -a ED25519 -f ksk \ + -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example` +# ecxksk=`$KEYFRLAB -a ED448 -f ksk \ +# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example` + + cat $infile $ecxzsk1.key $ecxksk.key > $zonefile + $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \ + > /dev/null 2> signer.err || cat signer.err + cp $ecxzsk2.key ns1/ecx.key + mv Kecx* ns1 +else + # ECX not available and will not be tested; make a placeholder + cp $infile ${zonefile}.signed +fi + +rm -f signer.err diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh new file mode 100644 index 0000000..cf3b549 --- /dev/null +++ b/bin/tests/system/pkcs11/tests.sh @@ -0,0 +1,87 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" + +status=0 +ret=0 + +algs="" +have_rsa=`grep rsa supported` +if [ "x$have_rsa" != "x" ]; then + algs="rsa " +fi +have_ecc=`grep ecc supported` +if [ "x$have_ecc" != "x" ]; then + algs=$algs"ecc " +fi +have_ecx=`grep ecc supported` +if [ "x$have_ecx" != "x" ]; then + algs=$algs"ecx " +fi + +for alg in $algs; do + zonefile=ns1/$alg.example.db + echo "I:testing PKCS#11 key generation ($alg)" + count=`$PK11LIST | grep robie-$alg-ksk | wc -l` + if [ $count != 2 ]; then echo "I:failed"; status=1; fi + + echo "I:testing offline signing with PKCS#11 keys ($alg)" + + count=`grep RRSIG $zonefile.signed | wc -l` + if [ $count != 12 ]; then echo "I:failed"; status=1; fi + + echo "I:testing inline signing with PKCS#11 keys ($alg)" + + $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg.0 || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` + count0=`grep RRSIG dig.out.$alg.0 | wc -l` + + $NSUPDATE -v > upd.log.$alg <<END || status=1 +server 10.53.0.1 5300 +ttl 300 +zone $alg.example. +update add `grep -v ';' ns1/${alg}.key` +send +END + + echo "I:waiting 20 seconds for key changes to take effect" + sleep 20 + + $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` + count=`grep RRSIG dig.out.$alg | wc -l` + if [ $count -le $count0 ]; then echo "I:failed"; status=1; fi + + echo "I:testing PKCS#11 key destroy ($alg)" + ret=0 + $PK11DEL -l robie-$alg-ksk -w0 > /dev/null 2>&1 || ret=1 + $PK11DEL -l robie-$alg-zsk1 -w0 > /dev/null 2>&1 || ret=1 + case $alg in + rsa) id=02 ;; + ecc) id=04 ;; + ecx) id=06 ;; + esac + $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` + count=`$PK11LIST | grep robie-$alg | wc -l` + if [ $count != 0 ]; then echo "I:failed"; fi + status=`expr $status + $count` +done + +echo "I:exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/pkcs11/usepkcs11 b/bin/tests/system/pkcs11/usepkcs11 new file mode 100644 index 0000000..ef46412 --- /dev/null +++ b/bin/tests/system/pkcs11/usepkcs11 @@ -0,0 +1 @@ +This test relies on PKCS#11! |