diff options
Diffstat (limited to 'bin/tests/system/pkcs11')
| -rw-r--r-- | bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt | 20 | ||||
| -rw-r--r-- | bin/tests/system/pkcs11/clean.sh | 21 | ||||
| -rw-r--r-- | bin/tests/system/pkcs11/ns1/example.db.in | 24 | ||||
| -rw-r--r-- | bin/tests/system/pkcs11/ns1/named.conf.in | 36 | ||||
| -rw-r--r-- | bin/tests/system/pkcs11/setup.sh | 96 | ||||
| -rw-r--r-- | bin/tests/system/pkcs11/tests.sh | 149 | ||||
| -rw-r--r-- | bin/tests/system/pkcs11/usepkcs11 | 1 |
7 files changed, 347 insertions, 0 deletions
diff --git a/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt new file mode 100644 index 0000000..09b06f0 --- /dev/null +++ b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt @@ -0,0 +1,20 @@ +edda 2800 0001 0000 0001 0000 0972 7361 +7368 6132 3536 0765 7861 6d70 6c65 0000 +0600 01c0 0c00 3000 0100 0001 2c01 0801 +0003 0803 0100 0100 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 00 diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh new file mode 100644 index 0000000..b790cd8 --- /dev/null +++ b/bin/tests/system/pkcs11/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl +rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out* +rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats +rm -f supported +rm -f ns*/named.run ns*/named.lock ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/pkcs11/ns1/example.db.in b/bin/tests/system/pkcs11/ns1/example.db.in new file mode 100644 index 0000000..8e06212 --- /dev/null +++ b/bin/tests/system/pkcs11/ns1/example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "recursed" + diff --git a/bin/tests/system/pkcs11/ns1/named.conf.in b/bin/tests/system/pkcs11/ns1/named.conf.in new file mode 100644 index 0000000..8f2687d --- /dev/null +++ b/bin/tests/system/pkcs11/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh new file mode 100644 index 0000000..274ccf6 --- /dev/null +++ b/bin/tests/system/pkcs11/setup.sh @@ -0,0 +1,96 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -u + +echo_i "Generating keys for Native PKCS#11" >&2 + +infile=ns1/example.db.in + +printf '%s' "${HSMPIN:-1234}" > pin +PWD=$(pwd) + +copy_setports ns1/named.conf.in ns1/named.conf + +get_random() { + dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An +} + +genpkcs() ( + alg="$1" + bits="$2" + label="$3" + id="$(get_random)" + + $PK11DEL -l "$label" -w0 >/dev/null || true + $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null +) + +keyfrlab() ( + alg="$1" + bits="$2" + label="$3" + zone="$4" + shift 4 + + $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone" +) + +genzsk() ( + genpkcs "$@" + keyfrlab "$@" +) + +genksk() ( + genpkcs "$@" + keyfrlab "$@" -f ksk +) + +algs= +for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do + alg=$(echo "$algbits" | cut -f 1 -d :) + bits=$(echo "$algbits" | cut -f 2 -d :) + zone="$alg.example" + zonefile="ns1/$alg.example.db" + if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then + echo "$alg" >> supported + algs="$algs$alg " + + zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone") + zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone") + ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone") + ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone") + + cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile" + $SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null + cp "$zsk2.key" "ns1/$alg.zsk" + cp "$ksk2.key" "ns1/$alg.ksk" + mv "K$alg"* ns1/ + + cat >> ns1/named.conf <<EOF +zone "$alg.example." { + type primary; + file "$alg.example.db.signed"; + allow-update { any; }; +}; + +EOF + fi +done +echo_i "Generated keys for Native PKCS#11: $algs" diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh new file mode 100644 index 0000000..e8d7cb6 --- /dev/null +++ b/bin/tests/system/pkcs11/tests.sh @@ -0,0 +1,149 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +count_rrsigs() ( + grep -c "IN[[:space:]]*RRSIG" "$@" || true +) + +dig_with_opts() ( + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +) + +dig_for_rr() ( + alg=$1 + rrtype=$2 + count0=$3 + dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" && + count=$(count_rrsigs "dig.out.$rrtype.$alg") && + test "$count" -gt "$count0" +) + +test_done() { + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + ret=0 +} + +status=0 +ret=0 + +n=0 +while read -r alg; do + zonefile=ns1/$alg.example.db + echo_i "testing PKCS#11 key generation ($alg)" + count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true) + [ "$count" -eq 4 ] || ret=1 + test_done + + echo_i "testing offline signing with PKCS#11 keys ($alg)" + + count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed") + [ "$count" -eq 9 ] || ret=1 + test_done + + echo_i "testing inline signing with new PKCS#11 ZSK ($alg)" + + dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1 + countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0") + new_zsk=$(grep -v ';' "ns1/$alg.zsk") + + cat > "upd.cmd.ZSK.$alg" <<EOF +server 10.53.0.1 $PORT +ttl 300 +zone $alg.example. +update add $new_zsk +send +EOF + + $NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1 + + retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1 + test_done + + echo_i "testing inline signing with new PKCS#11 KSK ($alg)" + + dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1 + countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0") + new_ksk=$(grep -v ';' "ns1/$alg.ksk") + + cat > "upd.cmd.KSK.$alg" <<EOF +server 10.53.0.1 $PORT +ttl 300 +zone $alg.example. +update add $new_ksk +send +EOF + + $NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1 + + retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1 + test_done + + echo_i "testing PKCS#11 key destroy ($alg)" + + # Lookup all existing keys + echo_i "looking up all existing keys ($alg)" + $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1 + test_done + + echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)" + $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1 + test_done + + echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)" + $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1 + test_done + + id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg") + echo_i "destroying key with $id id ($alg)" + if [ -n "$id" ]; then + $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1 + else + ret=1 + fi + test_done + + id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg") + echo_i "destroying key with $id id ($alg)" + if [ -n "$id" ]; then + $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1 + else + ret=1 + fi + test_done + + echo_i "checking if all keys have been destroyed ($alg)" + $PK11LIST > "pkcs11-list.out.$alg" || ret=1 + count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true) + [ "$count" -eq 0 ] || ret=1 + test_done + n=$((n+1)) +done < supported + +echo_i "Checking if all supported algorithms were tested" +[ "$n" -eq "$(wc -l < supported)" ] || ret=1 +test_done + +echo_i "Checking for assertion failure in pk11_numbits()" +$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt +dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1 +test_done + +echo_i "exit status: $status" +[ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/pkcs11/usepkcs11 b/bin/tests/system/pkcs11/usepkcs11 new file mode 100644 index 0000000..ef46412 --- /dev/null +++ b/bin/tests/system/pkcs11/usepkcs11 @@ -0,0 +1 @@ +This test relies on PKCS#11! |