summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/pkcs11
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
commit45d6379135504814ab723b57f0eb8be23393a51d (patch)
treed4f2ec4acca824a8446387a758b0ce4238a4dffa /bin/tests/system/pkcs11
parentInitial commit. (diff)
downloadbind9-upstream.tar.xz
bind9-upstream.zip
Adding upstream version 1:9.16.44.upstream/1%9.16.44upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt20
-rw-r--r--bin/tests/system/pkcs11/clean.sh21
-rw-r--r--bin/tests/system/pkcs11/ns1/example.db.in24
-rw-r--r--bin/tests/system/pkcs11/ns1/named.conf.in36
-rw-r--r--bin/tests/system/pkcs11/setup.sh96
-rw-r--r--bin/tests/system/pkcs11/tests.sh149
-rw-r--r--bin/tests/system/pkcs11/usepkcs111
7 files changed, 347 insertions, 0 deletions
diff --git a/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt
new file mode 100644
index 0000000..09b06f0
--- /dev/null
+++ b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt
@@ -0,0 +1,20 @@
+edda 2800 0001 0000 0001 0000 0972 7361
+7368 6132 3536 0765 7861 6d70 6c65 0000
+0600 01c0 0c00 3000 0100 0001 2c01 0801
+0003 0803 0100 0100 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 00
diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh
new file mode 100644
index 0000000..b790cd8
--- /dev/null
+++ b/bin/tests/system/pkcs11/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
+rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out*
+rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats
+rm -f supported
+rm -f ns*/named.run ns*/named.lock ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/pkcs11/ns1/example.db.in b/bin/tests/system/pkcs11/ns1/example.db.in
new file mode 100644
index 0000000..8e06212
--- /dev/null
+++ b/bin/tests/system/pkcs11/ns1/example.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns root (
+ 2000082401 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.1
+
+txt TXT "recursed"
+
diff --git a/bin/tests/system/pkcs11/ns1/named.conf.in b/bin/tests/system/pkcs11/ns1/named.conf.in
new file mode 100644
index 0000000..8f2687d
--- /dev/null
+++ b/bin/tests/system/pkcs11/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ dnssec-validation no;
+ notify no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh
new file mode 100644
index 0000000..274ccf6
--- /dev/null
+++ b/bin/tests/system/pkcs11/setup.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -u
+
+echo_i "Generating keys for Native PKCS#11" >&2
+
+infile=ns1/example.db.in
+
+printf '%s' "${HSMPIN:-1234}" > pin
+PWD=$(pwd)
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+get_random() {
+ dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An
+}
+
+genpkcs() (
+ alg="$1"
+ bits="$2"
+ label="$3"
+ id="$(get_random)"
+
+ $PK11DEL -l "$label" -w0 >/dev/null || true
+ $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null
+)
+
+keyfrlab() (
+ alg="$1"
+ bits="$2"
+ label="$3"
+ zone="$4"
+ shift 4
+
+ $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"
+)
+
+genzsk() (
+ genpkcs "$@"
+ keyfrlab "$@"
+)
+
+genksk() (
+ genpkcs "$@"
+ keyfrlab "$@" -f ksk
+)
+
+algs=
+for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do
+ alg=$(echo "$algbits" | cut -f 1 -d :)
+ bits=$(echo "$algbits" | cut -f 2 -d :)
+ zone="$alg.example"
+ zonefile="ns1/$alg.example.db"
+ if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then
+ echo "$alg" >> supported
+ algs="$algs$alg "
+
+ zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone")
+ zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone")
+ ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone")
+ ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone")
+
+ cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile"
+ $SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null
+ cp "$zsk2.key" "ns1/$alg.zsk"
+ cp "$ksk2.key" "ns1/$alg.ksk"
+ mv "K$alg"* ns1/
+
+ cat >> ns1/named.conf <<EOF
+zone "$alg.example." {
+ type primary;
+ file "$alg.example.db.signed";
+ allow-update { any; };
+};
+
+EOF
+ fi
+done
+echo_i "Generated keys for Native PKCS#11: $algs"
diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh
new file mode 100644
index 0000000..e8d7cb6
--- /dev/null
+++ b/bin/tests/system/pkcs11/tests.sh
@@ -0,0 +1,149 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+count_rrsigs() (
+ grep -c "IN[[:space:]]*RRSIG" "$@" || true
+)
+
+dig_with_opts() (
+ $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+)
+
+dig_for_rr() (
+ alg=$1
+ rrtype=$2
+ count0=$3
+ dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" &&
+ count=$(count_rrsigs "dig.out.$rrtype.$alg") &&
+ test "$count" -gt "$count0"
+)
+
+test_done() {
+ if [ $ret -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ ret=0
+}
+
+status=0
+ret=0
+
+n=0
+while read -r alg; do
+ zonefile=ns1/$alg.example.db
+ echo_i "testing PKCS#11 key generation ($alg)"
+ count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)
+ [ "$count" -eq 4 ] || ret=1
+ test_done
+
+ echo_i "testing offline signing with PKCS#11 keys ($alg)"
+
+ count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed")
+ [ "$count" -eq 9 ] || ret=1
+ test_done
+
+ echo_i "testing inline signing with new PKCS#11 ZSK ($alg)"
+
+ dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1
+ countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0")
+ new_zsk=$(grep -v ';' "ns1/$alg.zsk")
+
+ cat > "upd.cmd.ZSK.$alg" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $alg.example.
+update add $new_zsk
+send
+EOF
+
+ $NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1
+
+ retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1
+ test_done
+
+ echo_i "testing inline signing with new PKCS#11 KSK ($alg)"
+
+ dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1
+ countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0")
+ new_ksk=$(grep -v ';' "ns1/$alg.ksk")
+
+ cat > "upd.cmd.KSK.$alg" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $alg.example.
+update add $new_ksk
+send
+EOF
+
+ $NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1
+
+ retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1
+ test_done
+
+ echo_i "testing PKCS#11 key destroy ($alg)"
+
+ # Lookup all existing keys
+ echo_i "looking up all existing keys ($alg)"
+ $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1
+ test_done
+
+ echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)"
+ $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1
+ test_done
+
+ echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)"
+ $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1
+ test_done
+
+ id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
+ echo_i "destroying key with $id id ($alg)"
+ if [ -n "$id" ]; then
+ $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
+ else
+ ret=1
+ fi
+ test_done
+
+ id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
+ echo_i "destroying key with $id id ($alg)"
+ if [ -n "$id" ]; then
+ $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
+ else
+ ret=1
+ fi
+ test_done
+
+ echo_i "checking if all keys have been destroyed ($alg)"
+ $PK11LIST > "pkcs11-list.out.$alg" || ret=1
+ count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true)
+ [ "$count" -eq 0 ] || ret=1
+ test_done
+ n=$((n+1))
+done < supported
+
+echo_i "Checking if all supported algorithms were tested"
+[ "$n" -eq "$(wc -l < supported)" ] || ret=1
+test_done
+
+echo_i "Checking for assertion failure in pk11_numbits()"
+$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
+dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
+test_done
+
+echo_i "exit status: $status"
+[ "$status" -eq 0 ] || exit 1
diff --git a/bin/tests/system/pkcs11/usepkcs11 b/bin/tests/system/pkcs11/usepkcs11
new file mode 100644
index 0000000..ef46412
--- /dev/null
+++ b/bin/tests/system/pkcs11/usepkcs11
@@ -0,0 +1 @@
+This test relies on PKCS#11!