diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:29 +0000 |
commit | e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca (patch) | |
tree | 65e6bbf5e12c3fe09b43e577f8d1786d06bcd559 /bin/tests/system/enginepkcs11 | |
parent | Releasing progress-linux version 1:9.18.19-1~deb12u1progress7u1. (diff) | |
download | bind9-e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca.tar.xz bind9-e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca.zip |
Merging upstream version 1:9.18.24.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/enginepkcs11')
-rw-r--r-- | bin/tests/system/enginepkcs11/prereq.sh | 2 | ||||
-rw-r--r-- | bin/tests/system/enginepkcs11/setup.sh | 163 | ||||
-rw-r--r-- | bin/tests/system/enginepkcs11/tests.sh | 233 |
3 files changed, 196 insertions, 202 deletions
diff --git a/bin/tests/system/enginepkcs11/prereq.sh b/bin/tests/system/enginepkcs11/prereq.sh index 296452b..5372924 100644 --- a/bin/tests/system/enginepkcs11/prereq.sh +++ b/bin/tests/system/enginepkcs11/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then - exit 0 + exit 0 fi echo_i "skip: softhsm2-util not available" diff --git a/bin/tests/system/enginepkcs11/setup.sh b/bin/tests/system/enginepkcs11/setup.sh index 49988ad..7cae90d 100644 --- a/bin/tests/system/enginepkcs11/setup.sh +++ b/bin/tests/system/enginepkcs11/setup.sh @@ -18,102 +18,99 @@ set -e softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' -printf '%s' "${HSMPIN:-1234}" > pin +printf '%s' "${HSMPIN:-1234}" >pin PWD=$(pwd) copy_setports ns1/named.conf.in ns1/named.conf keygen() { - type="$1" - bits="$2" - zone="$3" - id="$4" - - label="${id}-${zone}" - p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') - pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id 2> pkcs11-tool.err.$zone.$id || return 1 + type="$1" + bits="$2" + zone="$3" + id="$4" + + label="${id}-${zone}" + p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1 } keyfromlabel() { - alg="$1" - zone="$2" - id="$3" - dir="$4" - shift 4 - - $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2> keyfromlabel.err.$zone.$id || return 1 - cat keyfromlabel.out.$zone.$id + alg="$1" + zone="$2" + id="$3" + dir="$4" + shift 4 + + $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 + cat keyfromlabel.out.$zone.$id } - # Setup ns1. dir="ns1" infile="${dir}/template.db.in" for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ - ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 - # Edwards curves are not yet supported by OpenSC - # ed25519:EC:edwards25519 ed448:EC:edwards448 -do - alg=$(echo "$algtypebits" | cut -f 1 -d :) - type=$(echo "$algtypebits" | cut -f 2 -d :) - bits=$(echo "$algtypebits" | cut -f 3 -d :) - - if $SHELL ../testcrypto.sh $alg; then - zone="$alg.example" - zonefile="zone.$alg.example.db" - ret=0 - - echo_i "Generate keys $alg $type:$bits for zone $zone" - keygen $type $bits $zone enginepkcs11-zsk || ret=1 - keygen $type $bits $zone enginepkcs11-ksk || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Get ZSK $alg $zone $type:$bits" - zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) - test -z "$zsk1" && exit 1 - - echo_i "Get KSK $alg $zone $type:$bits" - ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) - test -z "$ksk1" && exit 1 - - ( - cd $dir - zskid1=$(keyfile_to_key_id $zsk1) - kskid1=$(keyfile_to_key_id $ksk1) - echo "$zskid1" > $zone.zskid1 - echo "$kskid1" > $zone.kskid1 - ) - - echo_i "Sign zone with $ksk1 $zsk1" - cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}" - $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Generate successor keys $alg $type:$bits for zone $zone" - keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 - keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Get ZSK $alg $id-$zone $type:$bits" - zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) - test -z "$zsk2" && exit 1 - - echo_i "Get KSK $alg $id-$zone $type:$bits" - ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) - test -z "$ksk2" && exit 1 - - ( - cd $dir - zskid2=$(keyfile_to_key_id $zsk2) - kskid2=$(keyfile_to_key_id $ksk2) - echo "$zskid2" > $zone.zskid2 - echo "$kskid2" > $zone.kskid2 - cp "${zsk2}.key" "${zsk2}.zsk2" - cp "${ksk2}.key" "${ksk2}.ksk2" - ) - - echo_i "Add zone $zone to named.conf" - cat >> "${dir}/named.conf" <<EOF + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + + if $SHELL ../testcrypto.sh $alg; then + zone="$alg.example" + zonefile="zone.$alg.example.db" + ret=0 + + echo_i "Generate keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk || ret=1 + keygen $type $bits $zone enginepkcs11-ksk || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $zone $type:$bits" + zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) + test -z "$zsk1" && exit 1 + + echo_i "Get KSK $alg $zone $type:$bits" + ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) + test -z "$ksk1" && exit 1 + + ( + cd $dir + zskid1=$(keyfile_to_key_id $zsk1) + kskid1=$(keyfile_to_key_id $ksk1) + echo "$zskid1" >$zone.zskid1 + echo "$kskid1" >$zone.kskid1 + ) + + echo_i "Sign zone with $ksk1 $zsk1" + cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}" + $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Generate successor keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 + keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $id-$zone $type:$bits" + zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) + test -z "$zsk2" && exit 1 + + echo_i "Get KSK $alg $id-$zone $type:$bits" + ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) + test -z "$ksk2" && exit 1 + + ( + cd $dir + zskid2=$(keyfile_to_key_id $zsk2) + kskid2=$(keyfile_to_key_id $ksk2) + echo "$zskid2" >$zone.zskid2 + echo "$kskid2" >$zone.kskid2 + cp "${zsk2}.key" "${zsk2}.zsk2" + cp "${ksk2}.key" "${ksk2}.ksk2" + ) + + echo_i "Add zone $zone to named.conf" + cat >>"${dir}/named.conf" <<EOF zone "$zone" { type primary; file "${zonefile}.signed"; @@ -121,5 +118,5 @@ zone "$zone" { }; EOF - fi + fi done diff --git a/bin/tests/system/enginepkcs11/tests.sh b/bin/tests/system/enginepkcs11/tests.sh index f8f0317..b518c79 100644 --- a/bin/tests/system/enginepkcs11/tests.sh +++ b/bin/tests/system/enginepkcs11/tests.sh @@ -23,65 +23,62 @@ ret=0 n=0 dig_with_opts() ( - $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" ) # Perform tests inside ns1 dir cd ns1 for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ - ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 - # Edwards curves are not yet supported by OpenSC - # ed25519:EC:edwards25519 ed448:EC:edwards448 -do - alg=$(echo "$algtypebits" | cut -f 1 -d :) - type=$(echo "$algtypebits" | cut -f 2 -d :) - bits=$(echo "$algtypebits" | cut -f 3 -d :) - zone="${alg}.example" - zonefile="zone.${zone}.db.signed" - - if [ ! -f $zonefile ]; then - echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}" - continue - fi - - # Basic checks if setup was successful. - n=$((n+1)) - ret=0 - echo_i "Test key generation was successful for $zone ($n)" - count=$(ls K*.key | grep "K${zone}" | wc -l) - test "$count" -eq 4 || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test zone signing was successful for $zone ($n)" - $VERIFY -z -o $zone "${zonefile}" > verify.out.$zone.$n 2>&1 || ret=1 - test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" - status=$((status+ret)) - - # Test inline signing with keys stored in engine. - zskid1=$(cat "${zone}.zskid1") - zskid2=$(cat "${zone}.zskid2") - - n=$((n+1)) - ret=0 - echo_i "Test inline signing for $zone ($n)" - dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1 - awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 1 || return 1 - grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" - status=$((status+ret)) - - - n=$((n+1)) - ret=0 - echo_i "Dynamically update $zone, add new zsk ($n)" - zsk2=$(grep -v ';' K${zone}.*.zsk2) - cat > "update.cmd.zsk.$zone.$n" <<EOF + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + zone="${alg}.example" + zonefile="zone.${zone}.db.signed" + + if [ ! -f $zonefile ]; then + echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}" + continue + fi + + # Basic checks if setup was successful. + n=$((n + 1)) + ret=0 + echo_i "Test key generation was successful for $zone ($n)" + count=$(ls K*.key | grep "K${zone}" | wc -l) + test "$count" -eq 4 || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test zone signing was successful for $zone ($n)" + $VERIFY -z -o $zone "${zonefile}" >verify.out.$zone.$n 2>&1 || ret=1 + test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" + status=$((status + ret)) + + # Test inline signing with keys stored in engine. + zskid1=$(cat "${zone}.zskid1") + zskid2=$(cat "${zone}.zskid2") + + n=$((n + 1)) + ret=0 + echo_i "Test inline signing for $zone ($n)" + dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 1 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Dynamically update $zone, add new zsk ($n)" + zsk2=$(grep -v ';' K${zone}.*.zsk2) + cat >"update.cmd.zsk.$zone.$n" <<EOF server 10.53.0.1 $PORT ttl 300 zone $zone @@ -89,47 +86,47 @@ update add $zsk2 send EOF - $NSUPDATE -v > "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1 - test "$ret" -eq 0 || echo_i "failed (update failed)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test DNSKEY response for $zone after inline signing ($n)" - _dig_dnskey() ( - dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 - count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) - test $count -eq 3 - ) - retry_quiet 10 _dig_dnskey || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test SOA response for $zone after inline signing ($n)" - _dig_soa() ( - dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1 - awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 2 || return 1 - grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 - return 0 - ) - retry_quiet 10 _dig_soa || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" - status=$((status+ret)) - - # Test inline signing with keys stored in engine (key signing). - kskid1=$(cat "${zone}.kskid1") - kskid2=$(cat "${zone}.kskid2") - - n=$((n+1)) - ret=0 - echo_i "Dynamically update $zone, add new ksk ($n)" - ksk2=$(grep -v ';' K${zone}.*.ksk2) - cat > "update.cmd.ksk.$zone.$n" <<EOF + $NSUPDATE -v >"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing ($n)" + _dig_dnskey() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 3 + ) + retry_quiet 10 _dig_dnskey || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test SOA response for $zone after inline signing ($n)" + _dig_soa() ( + dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_soa || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" + status=$((status + ret)) + + # Test inline signing with keys stored in engine (key signing). + kskid1=$(cat "${zone}.kskid1") + kskid2=$(cat "${zone}.kskid2") + + n=$((n + 1)) + ret=0 + echo_i "Dynamically update $zone, add new ksk ($n)" + ksk2=$(grep -v ';' K${zone}.*.ksk2) + cat >"update.cmd.ksk.$zone.$n" <<EOF server 10.53.0.1 $PORT ttl 300 zone $zone @@ -137,40 +134,40 @@ update add $ksk2 send EOF - $NSUPDATE -v > "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1 - test "$ret" -eq 0 || echo_i "failed (update failed)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" - _dig_dnskey_ksk() ( - dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 - count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) - test $count -eq 4 || return 1 - awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 2 || return 1 - grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 - return 0 - ) - retry_quiet 10 _dig_dnskey_ksk || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" - status=$((status+ret)) + $NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" + _dig_dnskey_ksk() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 4 || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_dnskey_ksk || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" + status=$((status + ret)) done # Go back to main test dir. cd .. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "Checking for assertion failure in pk11_numbits()" $PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt -dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1 +dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 |