summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/enginepkcs11/tests.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:59:48 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:59:48 +0000
commit3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch)
tree2e1c188dd7b8d7475cd163de9ae02c428343669b /bin/tests/system/enginepkcs11/tests.sh
parentInitial commit. (diff)
downloadbind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.tar.xz
bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.zip
Adding upstream version 1:9.18.19.upstream/1%9.18.19
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--bin/tests/system/enginepkcs11/tests.sh176
1 files changed, 176 insertions, 0 deletions
diff --git a/bin/tests/system/enginepkcs11/tests.sh b/bin/tests/system/enginepkcs11/tests.sh
new file mode 100644
index 0000000..f8f0317
--- /dev/null
+++ b/bin/tests/system/enginepkcs11/tests.sh
@@ -0,0 +1,176 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+PWD=$(pwd)
+
+status=0
+ret=0
+n=0
+
+dig_with_opts() (
+ $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+)
+
+# Perform tests inside ns1 dir
+cd ns1
+
+for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
+ ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
+ # Edwards curves are not yet supported by OpenSC
+ # ed25519:EC:edwards25519 ed448:EC:edwards448
+do
+ alg=$(echo "$algtypebits" | cut -f 1 -d :)
+ type=$(echo "$algtypebits" | cut -f 2 -d :)
+ bits=$(echo "$algtypebits" | cut -f 3 -d :)
+ zone="${alg}.example"
+ zonefile="zone.${zone}.db.signed"
+
+ if [ ! -f $zonefile ]; then
+ echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
+ continue
+ fi
+
+ # Basic checks if setup was successful.
+ n=$((n+1))
+ ret=0
+ echo_i "Test key generation was successful for $zone ($n)"
+ count=$(ls K*.key | grep "K${zone}" | wc -l)
+ test "$count" -eq 4 || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
+ status=$((status+ret))
+
+ n=$((n+1))
+ ret=0
+ echo_i "Test zone signing was successful for $zone ($n)"
+ $VERIFY -z -o $zone "${zonefile}" > verify.out.$zone.$n 2>&1 || ret=1
+ test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
+ status=$((status+ret))
+
+ # Test inline signing with keys stored in engine.
+ zskid1=$(cat "${zone}.zskid1")
+ zskid2=$(cat "${zone}.zskid2")
+
+ n=$((n+1))
+ ret=0
+ echo_i "Test inline signing for $zone ($n)"
+ dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1
+ awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
+ numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+ test $numsigs -eq 1 || return 1
+ grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
+ test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
+ status=$((status+ret))
+
+
+ n=$((n+1))
+ ret=0
+ echo_i "Dynamically update $zone, add new zsk ($n)"
+ zsk2=$(grep -v ';' K${zone}.*.zsk2)
+ cat > "update.cmd.zsk.$zone.$n" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $zone
+update add $zsk2
+send
+EOF
+
+ $NSUPDATE -v > "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1
+ test "$ret" -eq 0 || echo_i "failed (update failed)"
+ status=$((status+ret))
+
+ n=$((n+1))
+ ret=0
+ echo_i "Test DNSKEY response for $zone after inline signing ($n)"
+ _dig_dnskey() (
+ dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
+ count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
+ test $count -eq 3
+ )
+ retry_quiet 10 _dig_dnskey || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
+ status=$((status+ret))
+
+ n=$((n+1))
+ ret=0
+ echo_i "Test SOA response for $zone after inline signing ($n)"
+ _dig_soa() (
+ dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1
+ awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
+ numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+ test $numsigs -eq 2 || return 1
+ grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
+ grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
+ return 0
+ )
+ retry_quiet 10 _dig_soa || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
+ status=$((status+ret))
+
+ # Test inline signing with keys stored in engine (key signing).
+ kskid1=$(cat "${zone}.kskid1")
+ kskid2=$(cat "${zone}.kskid2")
+
+ n=$((n+1))
+ ret=0
+ echo_i "Dynamically update $zone, add new ksk ($n)"
+ ksk2=$(grep -v ';' K${zone}.*.ksk2)
+ cat > "update.cmd.ksk.$zone.$n" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $zone
+update add $ksk2
+send
+EOF
+
+ $NSUPDATE -v > "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1
+ test "$ret" -eq 0 || echo_i "failed (update failed)"
+ status=$((status+ret))
+
+ n=$((n+1))
+ ret=0
+ echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
+ _dig_dnskey_ksk() (
+ dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
+ count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
+ test $count -eq 4 || return 1
+ awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1
+ numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+ test $numsigs -eq 2 || return 1
+ grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
+ grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
+ return 0
+ )
+ retry_quiet 10 _dig_dnskey_ksk || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
+ status=$((status+ret))
+
+done
+
+# Go back to main test dir.
+cd ..
+
+n=$((n+1))
+ret=0
+echo_i "Checking for assertion failure in pk11_numbits()"
+$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
+dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1