Commit a6bdb963 authored by Ondřej Surý's avatar Ondřej Surý

Refactor the pkcs11 to test for individual algorithms

parent 2e6b7a56
......@@ -9,9 +9,6 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=.
. $SYSTEMTESTTOP/conf.sh
. "$SYSTEMTESTTOP/conf.sh"
if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
$PK11DEL -w0 > /dev/null 2>&1
[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1
......@@ -12,9 +12,8 @@
set -e
rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
rm -f dig.out* pin upd.log*
rm -f ns1/*.key ns1/named.memstats
rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out*
rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats
rm -f supported
rm -f ns*/named.run
rm -f ns*/named.lock
rm -f ns*/named.run ns*/named.lock ns*/named.conf
rm -f ns*/managed-keys.bind*
......@@ -15,7 +15,7 @@ options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
......@@ -30,23 +30,5 @@ key rndc_key {
};
controls {
inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
};
zone "rsa.example." {
type master;
file "rsa.example.db.signed";
allow-update { any; };
};
zone "ecc.example." {
type master;
file "ecc.example.db.signed";
allow-update { any; };
};
zone "ecx.example." {
type master;
file "ecx.example.db.signed";
allow-update { any; };
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
......@@ -9,105 +9,83 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
set -eu
# shellcheck source=conf.sh
. $SYSTEMTESTTOP/conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo "I:(Native PKCS#11)" >&2
ecxfail=0
$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
rm -f supported
touch supported
echo rsa >> supported
echo ecc >> supported
if [ $ecxfail = 0 ]; then
echo ecx >> supported
fi
echo_i "Generating keys for Native PKCS#11" >&2
infile=ns1/example.db.in
printf '%s' "${HSMPIN:-1234}" > pin
PWD=$(pwd)
zone=rsa.example
zonefile=ns1/rsa.example.db
have_rsa=$(grep rsa supported || true)
if [ "x$have_rsa" != "x" ]; then
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
rsazsk1=$($KEYFRLAB -a RSASHA1 \
-l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example)
rsazsk2=$($KEYFRLAB -a RSASHA1 \
-l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example)
rsaksk=$($KEYFRLAB -a RSASHA1 -f ksk \
-l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example)
cat $infile "$rsazsk1".key "$rsaksk".key > $zonefile
$SIGNER -a -P -g -o $zone $zonefile \
> /dev/null 2> signer.err || cat signer.err
cp "$rsazsk2".key ns1/rsa.key
mv Krsa* ns1
else
# RSA not available and will not be tested; make a placeholder
cp $infile ${zonefile}.signed
fi
zone=ecc.example
zonefile=ns1/ecc.example.db
have_ecc=$(grep ecc supported || true)
if [ "x$have_ecc" != "x" ]; then
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
$PK11GEN -a ECC -b 384 -l robie-ecc-ksk
ecczsk1=$($KEYFRLAB -a ECDSAP256SHA256 \
-l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example)
ecczsk2=$($KEYFRLAB -a ECDSAP256SHA256 \
-l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example)
eccksk=$($KEYFRLAB -a ECDSAP384SHA384 -f ksk \
-l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example)
cat $infile "$ecczsk1".key "$eccksk".key > $zonefile
$SIGNER -a -P -g -o $zone $zonefile \
> /dev/null 2> signer.err || cat signer.err
cp "$ecczsk2".key ns1/ecc.key
mv Kecc* ns1
else
# ECC not available and will not be tested; make a placeholder
cp $infile ${zonefile}.signed
fi
zone=ecx.example
zonefile=ns1/ecx.example.db
have_ecx=$(grep ecx supported || true)
if [ "x$have_ecx" != "x" ]; then
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
$PK11GEN -a ECX -b 256 -l robie-ecx-ksk
# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
ecxzsk1=$($KEYFRLAB -a ED25519 \
-l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example)
ecxzsk2=$($KEYFRLAB -a ED25519 \
-l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example)
ecxksk=$($KEYFRLAB -a ED25519 -f ksk \
-l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example)
# ecxksk=`$KEYFRLAB -a ED448 -f ksk \
# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
cat $infile "$ecxzsk1".key "$ecxksk".key > $zonefile
$SIGNER -a -P -g -o $zone $zonefile \
> /dev/null 2> signer.err || cat signer.err
cp "$ecxzsk2".key ns1/ecx.key
mv Kecx* ns1
else
# ECX not available and will not be tested; make a placeholder
cp $infile ${zonefile}.signed
fi
rm -f signer.err
copy_setports ns1/named.conf.in ns1/named.conf
get_random() {
dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An
}
genpkcs() (
alg="$1"
bits="$2"
label="$3"
id="$(get_random)"
$PK11DEL -l "$label" -w0 >/dev/null || true
$PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null
)
keyfrlab() (
alg="$1"
bits="$2"
label="$3"
zone="$4"
shift 4
$KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"
)
genzsk() (
genpkcs "$@"
keyfrlab "$@"
)
genksk() (
genpkcs "$@"
keyfrlab "$@" -f ksk
)
algs=
for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do
alg=$(echo "$algbits" | cut -f 1 -d :)
bits=$(echo "$algbits" | cut -f 2 -d :)
zone="$alg.example"
zonefile="ns1/$alg.example.db"
if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then
echo "$alg" >> supported
algs="$algs$alg "
zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone")
zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone")
ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone")
ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone")
cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile"
$SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null
cp "$zsk2.key" "ns1/$alg.zsk"
cp "$ksk2.key" "ns1/$alg.ksk"
mv "K$alg"* ns1/
cat >> ns1/named.conf <<EOF
zone "$alg.example." {
type master;
file "$alg.example.db.signed";
allow-update { any; };
};
EOF
fi
done
echo_i "Generated keys for Native PKCS#11: $algs"
......@@ -12,80 +12,130 @@
set -e
# shellcheck source=conf.sh
. $SYSTEMTESTTOP/conf.sh
. "$SYSTEMTESTTOP/conf.sh"
dig_with_opts() {
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300 "$@"
count_rrsigs() (
grep -c "IN[[:space:]]*RRSIG" "$@" || true
)
dig_with_opts() (
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
)
dig_for_rr() (
alg=$1
rrtype=$2
count0=$3
dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" &&
count=$(count_rrsigs "dig.out.$rrtype.$alg") &&
test "$count" -gt "$count0"
)
test_done() {
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
ret=0
}
status=0
ret=0
algs=""
have_rsa=$(grep rsa supported || true)
if [ "x$have_rsa" != "x" ]; then
algs="rsa "
fi
have_ecc=$(grep ecc supported || true)
if [ "x$have_ecc" != "x" ]; then
algs=$algs"ecc "
fi
have_ecx=$(grep ecx supported || true)
if [ "x$have_ecx" != "x" ]; then
algs=$algs"ecx "
fi
for alg in $algs; do
zonefile=ns1/$alg.example.db
echo "I:testing PKCS#11 key generation ($alg)"
count=$($PK11LIST | grep -c "robie-$alg-ksk" || true)
if [ "$count" -ne 2 ]; then echo "I:failed"; status=1; fi
echo "I:testing offline signing with PKCS#11 keys ($alg)"
count=$(grep -c RRSIG "$zonefile.signed" || true)
if [ "$count" -ne 12 ]; then echo "I:failed"; status=1; fi
echo "I:testing inline signing with PKCS#11 keys ($alg)"
dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg.0" || ret=1
if [ $ret -ne 0 ]; then echo "I:failed"; fi
status=$((status + ret))
count0=$(grep -c RRSIG "dig.out.$alg.0" || true)
$NSUPDATE -v > "upd.log.$alg" <<END || status=1
server 10.53.0.1 5300
n=0
while read -r alg; do
zonefile=ns1/$alg.example.db
echo_i "testing PKCS#11 key generation ($alg)"
count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)
[ "$count" -eq 4 ] || ret=1
test_done
echo_i "testing offline signing with PKCS#11 keys ($alg)"
count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed")
[ "$count" -eq 9 ] || ret=1
test_done
echo_i "testing inline signing with new PKCS#11 ZSK ($alg)"
dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1
countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0")
new_zsk=$(grep -v ';' "ns1/$alg.zsk")
cat > "upd.cmd.ZSK.$alg" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $alg.example.
update add $(grep -v ';' "ns1/${alg}.key" || true)
update add $new_zsk
send
END
EOF
echo "I:waiting 20 seconds for key changes to take effect"
sleep 20
$NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1
dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg" || ret=1
if [ $ret -ne 0 ]; then echo "I:failed"; fi
status=$((status + ret))
count=$(grep -c RRSIG "dig.out.$alg" || true)
if [ "$count" -le "$count0" ]; then echo "I:failed"; status=1; fi
retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1
test_done
echo "I:testing PKCS#11 key destroy ($alg)"
ret=0
$PK11DEL -l "robie-$alg-ksk" -w0 > /dev/null 2>&1 || ret=1
$PK11DEL -l "robie-$alg-zsk1" -w0 > /dev/null 2>&1 || ret=1
case $alg in
rsa) id=02 ;;
ecc) id=04 ;;
ecx) id=06 ;;
esac
$PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then echo "I:failed"; fi
status=$((status + ret))
count=$($PK11LIST | grep -c "robie-$alg" || true)
if [ "$count" -ne 0 ]; then echo "I:failed"; fi
status=$((status + count))
done
echo "I:exit status: $status"
echo_i "testing inline signing with new PKCS#11 KSK ($alg)"
dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1
countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0")
new_ksk=$(grep -v ';' "ns1/$alg.ksk")
cat > "upd.cmd.KSK.$alg" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $alg.example.
update add $new_ksk
send
EOF
$NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1
retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1
test_done
echo_i "testing PKCS#11 key destroy ($alg)"
# Lookup all existing keys
echo_i "looking up all existing keys ($alg)"
$PK11LIST > "pkcs11-list.out.id.$alg" || ret=1
test_done
echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)"
$PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1
test_done
echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)"
$PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1
test_done
id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
echo_i "destroying key with $id id ($alg)"
if [ -n "$id" ]; then
$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
else
ret=1
fi
test_done
id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
echo_i "destroying key with $id id ($alg)"
if [ -n "$id" ]; then
$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
else
ret=1
fi
test_done
echo_i "checking if all keys have been destroyed ($alg)"
$PK11LIST > "pkcs11-list.out.$alg" || ret=1
count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true)
[ "$count" -eq 0 ] || ret=1
test_done
n=$((n+1))
done < supported
echo_i "Checking if all supported algorithms were tested"
[ "$n" -eq "$(wc -l < supported)" ] || ret=1
test_done
echo_i "exit status: $status"
[ "$status" -eq 0 ] || exit 1
......@@ -29,11 +29,27 @@ while test "$#" -gt 0; do
alg="-a RSASHA1"
msg="RSA cryptography"
;;
ecdsa|ECDSA)
alg="-a ecdsap256sha256"
rsasha256|RSASHA256)
alg="-a RSASHA256"
msg="RSA cryptography"
;;
rsasha512|RSASHA512)
alg="-a RSASHA512"
msg="RSA cryptography"
;;
ecdsa|ECDSA|ecdsap256sha256|ECDSAP256SHA256)
alg="-a ECDSAP256SHA256"
msg="ECDSA cryptography"
;;
eddsa|EDDSA)
ecdsap384sha384|ECDSAP384SHA384)
alg="-a ECDSAP384SHA384"
msg="ECDSA cryptography"
;;
eddsa|EDDSA|ed25519|ED25519)
alg="-a ED25519"
msg="EDDSA cryptography"
;;
ed448|ED448)
alg="-a ED25519"
msg="EDDSA cryptography"
;;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment