diff options
Diffstat (limited to 'bin/tests/system/pkcs11ssl')
-rw-r--r-- | bin/tests/system/pkcs11ssl/clean.sh | 16 | ||||
-rw-r--r-- | bin/tests/system/pkcs11ssl/ns1/example.db.in | 22 | ||||
-rw-r--r-- | bin/tests/system/pkcs11ssl/ns1/named.conf | 45 | ||||
-rw-r--r-- | bin/tests/system/pkcs11ssl/prereq.sh | 16 | ||||
-rw-r--r-- | bin/tests/system/pkcs11ssl/setup.sh | 40 | ||||
-rw-r--r-- | bin/tests/system/pkcs11ssl/tests.sh | 62 | ||||
-rw-r--r-- | bin/tests/system/pkcs11ssl/usepkcs11 | 1 |
7 files changed, 202 insertions, 0 deletions
diff --git a/bin/tests/system/pkcs11ssl/clean.sh b/bin/tests/system/pkcs11ssl/clean.sh new file mode 100644 index 0000000..4af1c39 --- /dev/null +++ b/bin/tests/system/pkcs11ssl/clean.sh @@ -0,0 +1,16 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl +rm -f dig.out pin +rm -f ns1/*.key ns1/named.memstats +rm -f supported +rm -f ns*/named.lock diff --git a/bin/tests/system/pkcs11ssl/ns1/example.db.in b/bin/tests/system/pkcs11ssl/ns1/example.db.in new file mode 100644 index 0000000..95d2a63 --- /dev/null +++ b/bin/tests/system/pkcs11ssl/ns1/example.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "recursed" + diff --git a/bin/tests/system/pkcs11ssl/ns1/named.conf b/bin/tests/system/pkcs11ssl/ns1/named.conf new file mode 100644 index 0000000..7cd8074 --- /dev/null +++ b/bin/tests/system/pkcs11ssl/ns1/named.conf @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; }; +}; + +zone "rsa.example." { + type master; + file "rsa.example.db.signed"; + allow-update { any; }; +}; + +zone "ecc.example." { + type master; + file "ecc.example.db.signed"; + allow-update { any; }; +}; diff --git a/bin/tests/system/pkcs11ssl/prereq.sh b/bin/tests/system/pkcs11ssl/prereq.sh new file mode 100644 index 0000000..489bebb --- /dev/null +++ b/bin/tests/system/pkcs11ssl/prereq.sh @@ -0,0 +1,16 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +echo "I:(PKCS#11 via OpenSSL)" >&2 +exec $SHELL ../testcrypto.sh rsa diff --git a/bin/tests/system/pkcs11ssl/setup.sh b/bin/tests/system/pkcs11ssl/setup.sh new file mode 100644 index 0000000..d2fbe92 --- /dev/null +++ b/bin/tests/system/pkcs11ssl/setup.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +infile=ns1/example.db.in + +/bin/echo -n ${HSMPIN:-1234}> pin +PWD=`pwd` + +zone=rsa.example +zonefile=ns1/rsa.example.db + +$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01 +$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02 +$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk + +rsazsk1=`$KEYFRLAB -a RSASHA1 \ + -l "robie-rsa-zsk1" rsa.example` +rsazsk2=`$KEYFRLAB -a RSASHA1 \ + -l "robie-rsa-zsk2" rsa.example` +rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \ + -l "robie-rsa-ksk" rsa.example` + +cat $infile $rsazsk1.key $rsaksk.key > $zonefile +$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \ + > /dev/null 2> signer.err || cat signer.err +cp $rsazsk2.key ns1/rsa.key +mv Krsa* ns1 + +rm -f signer.err diff --git a/bin/tests/system/pkcs11ssl/tests.sh b/bin/tests/system/pkcs11ssl/tests.sh new file mode 100644 index 0000000..2d7437e --- /dev/null +++ b/bin/tests/system/pkcs11ssl/tests.sh @@ -0,0 +1,62 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" + +status=0 +ret=0 + +alg=rsa +zonefile=ns1/rsa.example.db +echo "I:testing PKCS#11 key generation (rsa)" +count=`$PK11LIST | grep robie-rsa-ksk | wc -l` +if [ $count != 2 ]; then echo "I:failed"; status=1; fi + +echo "I:testing offline signing with PKCS#11 keys (rsa)" + +count=`grep RRSIG $zonefile.signed | wc -l` +if [ $count != 12 ]; then echo "I:failed"; status=1; fi + +echo "I:testing inline signing with PKCS#11 keys (rsa)" + +$NSUPDATE > /dev/null <<END || status=1 +server 10.53.0.1 5300 +ttl 300 +zone rsa.example. +update add `grep -v ';' ns1/${alg}.key` +send +END + +echo "I:waiting 20 seconds for key changes to take effect" +sleep 20 + +$DIG $DIGOPTS ns.rsa.example. @10.53.0.1 a > dig.out || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +count=`grep RRSIG dig.out | wc -l` +if [ $count != 4 ]; then echo "I:failed"; status=1; fi + +echo "I:testing PKCS#11 key destroy (rsa)" +ret=0 +$PK11DEL -l robie-rsa-ksk -w0 > /dev/null 2>&1 || ret=1 +$PK11DEL -l robie-rsa-zsk1 -w0 > /dev/null 2>&1 || ret=1 +$PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +count=`$PK11LIST | grep robie-rsa | wc -l` +if [ $count != 0 ]; then echo "I:failed"; fi +status=`expr $status + $count` + +echo "I:exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/pkcs11ssl/usepkcs11 b/bin/tests/system/pkcs11ssl/usepkcs11 new file mode 100644 index 0000000..ef46412 --- /dev/null +++ b/bin/tests/system/pkcs11ssl/usepkcs11 @@ -0,0 +1 @@ +This test relies on PKCS#11! |