bin/tests/system/pkcs11/setup.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

#!/bin/sh

# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0.  If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.

set -e

SYSTEMTESTTOP=..
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"

set -u

echo_i "Generating keys for Native PKCS#11" >&2

infile=ns1/example.db.in

printf '%s' "${HSMPIN:-1234}" >pin
PWD=$(pwd)

copy_setports ns1/named.conf.in ns1/named.conf

get_random() {
  dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An
}

genpkcs() (
  alg="$1"
  bits="$2"
  label="$3"
  id="$(get_random)"

  $PK11DEL -l "$label" -w0 >/dev/null || true
  $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null
)

keyfrlab() (
  alg="$1"
  bits="$2"
  label="$3"
  zone="$4"
  shift 4

  $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"
)

genzsk() (
  genpkcs "$@"
  keyfrlab "$@"
)

genksk() (
  genpkcs "$@"
  keyfrlab "$@" -f ksk
)

algs=
for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do
  alg=$(echo "$algbits" | cut -f 1 -d :)
  bits=$(echo "$algbits" | cut -f 2 -d :)
  zone="$alg.example"
  zonefile="ns1/$alg.example.db"
  if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then
    echo "$alg" >>supported
    algs="$algs$alg "

    zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone")
    zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone")
    ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone")
    ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone")

    cat "$infile" "$zsk1.key" "$ksk1.key" >"$zonefile"
    $SIGNER -a -P -g -o "$zone" "$zonefile" >/dev/null
    cp "$zsk2.key" "ns1/$alg.zsk"
    cp "$ksk2.key" "ns1/$alg.ksk"
    mv "K$alg"* ns1/

    cat >>ns1/named.conf <<EOF
zone "$alg.example." {
	type primary;
	file "$alg.example.db.signed";
	allow-update { any; };
};

EOF
  fi
done
echo_i "Generated keys for Native PKCS#11: $algs"