summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/enginepkcs11/tests.sh
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/enginepkcs11/tests.sh')
-rw-r--r--bin/tests/system/enginepkcs11/tests.sh233
1 files changed, 115 insertions, 118 deletions
diff --git a/bin/tests/system/enginepkcs11/tests.sh b/bin/tests/system/enginepkcs11/tests.sh
index f8f0317..b518c79 100644
--- a/bin/tests/system/enginepkcs11/tests.sh
+++ b/bin/tests/system/enginepkcs11/tests.sh
@@ -23,65 +23,62 @@ ret=0
n=0
dig_with_opts() (
- $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+ $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
)
# Perform tests inside ns1 dir
cd ns1
for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
- ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
- # Edwards curves are not yet supported by OpenSC
- # ed25519:EC:edwards25519 ed448:EC:edwards448
-do
- alg=$(echo "$algtypebits" | cut -f 1 -d :)
- type=$(echo "$algtypebits" | cut -f 2 -d :)
- bits=$(echo "$algtypebits" | cut -f 3 -d :)
- zone="${alg}.example"
- zonefile="zone.${zone}.db.signed"
-
- if [ ! -f $zonefile ]; then
- echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
- continue
- fi
-
- # Basic checks if setup was successful.
- n=$((n+1))
- ret=0
- echo_i "Test key generation was successful for $zone ($n)"
- count=$(ls K*.key | grep "K${zone}" | wc -l)
- test "$count" -eq 4 || ret=1
- test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
- status=$((status+ret))
-
- n=$((n+1))
- ret=0
- echo_i "Test zone signing was successful for $zone ($n)"
- $VERIFY -z -o $zone "${zonefile}" > verify.out.$zone.$n 2>&1 || ret=1
- test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
- status=$((status+ret))
-
- # Test inline signing with keys stored in engine.
- zskid1=$(cat "${zone}.zskid1")
- zskid2=$(cat "${zone}.zskid2")
-
- n=$((n+1))
- ret=0
- echo_i "Test inline signing for $zone ($n)"
- dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1
- awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
- numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
- test $numsigs -eq 1 || return 1
- grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
- test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
- status=$((status+ret))
-
-
- n=$((n+1))
- ret=0
- echo_i "Dynamically update $zone, add new zsk ($n)"
- zsk2=$(grep -v ';' K${zone}.*.zsk2)
- cat > "update.cmd.zsk.$zone.$n" <<EOF
+ ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
+ # ed25519:EC:edwards25519 ed448:EC:edwards448
+ alg=$(echo "$algtypebits" | cut -f 1 -d :)
+ type=$(echo "$algtypebits" | cut -f 2 -d :)
+ bits=$(echo "$algtypebits" | cut -f 3 -d :)
+ zone="${alg}.example"
+ zonefile="zone.${zone}.db.signed"
+
+ if [ ! -f $zonefile ]; then
+ echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
+ continue
+ fi
+
+ # Basic checks if setup was successful.
+ n=$((n + 1))
+ ret=0
+ echo_i "Test key generation was successful for $zone ($n)"
+ count=$(ls K*.key | grep "K${zone}" | wc -l)
+ test "$count" -eq 4 || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
+ status=$((status + ret))
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Test zone signing was successful for $zone ($n)"
+ $VERIFY -z -o $zone "${zonefile}" >verify.out.$zone.$n 2>&1 || ret=1
+ test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
+ status=$((status + ret))
+
+ # Test inline signing with keys stored in engine.
+ zskid1=$(cat "${zone}.zskid1")
+ zskid2=$(cat "${zone}.zskid2")
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Test inline signing for $zone ($n)"
+ dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1
+ awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
+ numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+ test $numsigs -eq 1 || return 1
+ grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
+ test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
+ status=$((status + ret))
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Dynamically update $zone, add new zsk ($n)"
+ zsk2=$(grep -v ';' K${zone}.*.zsk2)
+ cat >"update.cmd.zsk.$zone.$n" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $zone
@@ -89,47 +86,47 @@ update add $zsk2
send
EOF
- $NSUPDATE -v > "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1
- test "$ret" -eq 0 || echo_i "failed (update failed)"
- status=$((status+ret))
-
- n=$((n+1))
- ret=0
- echo_i "Test DNSKEY response for $zone after inline signing ($n)"
- _dig_dnskey() (
- dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
- count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
- test $count -eq 3
- )
- retry_quiet 10 _dig_dnskey || ret=1
- test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
- status=$((status+ret))
-
- n=$((n+1))
- ret=0
- echo_i "Test SOA response for $zone after inline signing ($n)"
- _dig_soa() (
- dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1
- awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
- numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
- test $numsigs -eq 2 || return 1
- grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
- grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
- return 0
- )
- retry_quiet 10 _dig_soa || ret=1
- test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
- status=$((status+ret))
-
- # Test inline signing with keys stored in engine (key signing).
- kskid1=$(cat "${zone}.kskid1")
- kskid2=$(cat "${zone}.kskid2")
-
- n=$((n+1))
- ret=0
- echo_i "Dynamically update $zone, add new ksk ($n)"
- ksk2=$(grep -v ';' K${zone}.*.ksk2)
- cat > "update.cmd.ksk.$zone.$n" <<EOF
+ $NSUPDATE -v >"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1
+ test "$ret" -eq 0 || echo_i "failed (update failed)"
+ status=$((status + ret))
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Test DNSKEY response for $zone after inline signing ($n)"
+ _dig_dnskey() (
+ dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
+ count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
+ test $count -eq 3
+ )
+ retry_quiet 10 _dig_dnskey || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
+ status=$((status + ret))
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Test SOA response for $zone after inline signing ($n)"
+ _dig_soa() (
+ dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
+ awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
+ numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+ test $numsigs -eq 2 || return 1
+ grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
+ grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
+ return 0
+ )
+ retry_quiet 10 _dig_soa || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
+ status=$((status + ret))
+
+ # Test inline signing with keys stored in engine (key signing).
+ kskid1=$(cat "${zone}.kskid1")
+ kskid2=$(cat "${zone}.kskid2")
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Dynamically update $zone, add new ksk ($n)"
+ ksk2=$(grep -v ';' K${zone}.*.ksk2)
+ cat >"update.cmd.ksk.$zone.$n" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $zone
@@ -137,40 +134,40 @@ update add $ksk2
send
EOF
- $NSUPDATE -v > "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1
- test "$ret" -eq 0 || echo_i "failed (update failed)"
- status=$((status+ret))
-
- n=$((n+1))
- ret=0
- echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
- _dig_dnskey_ksk() (
- dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
- count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
- test $count -eq 4 || return 1
- awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1
- numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
- test $numsigs -eq 2 || return 1
- grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
- grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
- return 0
- )
- retry_quiet 10 _dig_dnskey_ksk || ret=1
- test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
- status=$((status+ret))
+ $NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1
+ test "$ret" -eq 0 || echo_i "failed (update failed)"
+ status=$((status + ret))
+
+ n=$((n + 1))
+ ret=0
+ echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
+ _dig_dnskey_ksk() (
+ dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
+ count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
+ test $count -eq 4 || return 1
+ awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1
+ numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+ test $numsigs -eq 2 || return 1
+ grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
+ grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
+ return 0
+ )
+ retry_quiet 10 _dig_dnskey_ksk || ret=1
+ test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
+ status=$((status + ret))
done
# Go back to main test dir.
cd ..
-n=$((n+1))
+n=$((n + 1))
ret=0
echo_i "Checking for assertion failure in pk11_numbits()"
$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
-dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
+dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 12:30:01 +0000