Commit 9b9182fe authored by Francis Dupont's avatar Francis Dupont

Added Ed25519 support (#44696)

parent 93ae9a09
4665. [func] Add Ed25519 support (RFC 8080). [RT #25519]
4664. [func] Add a "glue-cache" option to enable or disable the
glue cache. The default is "no" to reduce memory
usage, but enabling this option will improve
......
......@@ -52,7 +52,8 @@ int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512 | ECCGOST |"
" ECDSAP256SHA256 | ECDSAP384SHA384";
" ECDSAP256SHA256 | ECDSAP384SHA384 |"
" ED25519 | ED448";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
......@@ -437,7 +438,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
......
......@@ -102,7 +102,7 @@
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</para>
<para>
......
......@@ -82,7 +82,8 @@ usage(void) {
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
fprintf(stderr, " ED25519 | ED448 | DH |\n");
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
fprintf(stderr, " (default: RSASHA1, or "
......@@ -101,6 +102,8 @@ usage(void) {
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
fprintf(stderr, " ED25519:\tignored\n");
fprintf(stderr, " ED448:\tignored\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
......@@ -602,7 +605,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
......@@ -636,7 +640,9 @@ main(int argc, char **argv) {
" to %d\n", size);
} else if (alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 &&
alg != DST_ALG_ECDSA384)
alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 &&
alg != DST_ALG_ED448)
fatal("key size not specified (-b option)");
}
......@@ -773,6 +779,12 @@ main(int argc, char **argv) {
case DST_ALG_ECDSA384:
size = 384;
break;
case DST_ALG_ED25519:
size = 256;
break;
case DST_ALG_ED448:
size = 456;
break;
case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
......@@ -906,6 +918,8 @@ main(int argc, char **argv) {
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
show_progress = ISC_TRUE;
/* fall through */
......
......@@ -114,7 +114,7 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
......@@ -186,8 +186,8 @@
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
</para>
</listitem>
</varlistentry>
......
......@@ -73,6 +73,7 @@
#define WANT_DH_PRIMES
#define WANT_ECC_CURVES
#include <pk11/constants.h>
#include <pkcs11/eddsa.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
......@@ -82,13 +83,14 @@
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
/* Key class: RSA, ECC, DSA, DH, or unknown */
/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
typedef enum {
key_unknown,
key_rsa,
key_dsa,
key_dh,
key_ecc
key_ecc,
key_ecx
} key_class_t;
/*
......@@ -136,7 +138,7 @@ static CK_ATTRIBUTE rsa_template[] = {
};
/*
* Public key template for ECC keys
* Public key template for ECC/ECX keys
*/
#define ECC_LABEL 0
#define ECC_VERIFY 1
......@@ -247,6 +249,9 @@ keyclass_fromtext(const char *name) {
else if (strncasecmp(name, "ecc", 3) == 0 ||
strncasecmp(name, "ecdsa", 5) == 0)
return (key_ecc);
else if (strncasecmp(name, "ecx", 3) == 0 ||
strncasecmp(name, "ed", 2) == 0)
return (key_ecx);
else
return (key_unknown);
}
......@@ -425,6 +430,39 @@ main(int argc, char *argv[]) {
sizeof(pk11_ecc_secp384r1);
}
break;
case key_ecx:
#ifndef CKM_EDDSA_KEY_PAIR_GEN
fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
usage();
#endif
op_type = OP_EC;
if (bits == 0)
bits = 256;
else if (bits != 256 && bits != 456) {
fprintf(stderr, "ECX keys only support bit sizes of "
"256 and 456\n");
exit(2);
}
mech.mechanism = CKM_EDDSA_KEY_PAIR_GEN;
mech.pParameter = NULL;
mech.ulParameterLen = 0;
public_template = ecc_template;
public_attrcnt = ECC_ATTRS;
id_offset = ECC_ID;
if (bits == 256) {
public_template[4].pValue = pk11_ecc_ed25519;
public_template[4].ulValueLen =
sizeof(pk11_ecc_ed25519);
} else {
public_template[4].pValue = pk11_ecc_ed448;
public_template[4].ulValueLen =
sizeof(pk11_ecc_ed448);
}
break;
case key_dsa:
op_type = OP_DSA;
......@@ -570,7 +608,7 @@ main(int argc, char *argv[]) {
private_template[5].pValue = &truevalue;
}
if (keyclass == key_rsa || keyclass == key_ecc)
if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
goto generate_keys;
/*
......
......@@ -71,11 +71,11 @@
<listitem>
<para>
Specify the key algorithm class: Supported classes are RSA,
DSA, DH, and ECC. In addition to these strings, the
DSA, DH, ECC and ECX. In addition to these strings, the
<option>algorithm</option> can be specified as a DNSSEC
signing algorithm that will be used with this key; for
example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
to ECC. The default class is "RSA".
example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
to ECC, and ED25519 to ECX. The default class is "RSA".
</para>
</listitem>
</varlistentry>
......@@ -86,7 +86,8 @@
<para>
Create the key pair with <option>keysize</option> bits of
prime. For ECC keys, the only valid values are 256 and 384,
and the default is 256.
and the default is 256. For ECX kyes, the only valid values
are 256 and 456, and the default is 256.
</para>
</listitem>
</varlistentry>
......
......@@ -30,7 +30,7 @@ class dnskey:
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
'ECDSAP384SHA384')
'ECDSAP384SHA384', 'ED25519', 'ED448')
def __init__(self, key, directory=None, keyttl=None):
# this makes it possible to use algname as a class or instance method
......
......@@ -68,7 +68,7 @@ class PolicyLex:
return t
def t_ALGNAME(self, t):
r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384)\b'
r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
t.value = t.value.upper()
return t
......@@ -138,7 +138,9 @@ class Policy:
'RSASHA512': [1024, 4096],
'ECCGOST': None,
'ECDSAP256SHA256': None,
'ECDSAP384SHA384': None}
'ECDSAP384SHA384': None,
'ED25519': None,
'ED448': None}
def __init__(self, name=None, algorithm=None, parent=None):
self.name = name
......@@ -275,7 +277,9 @@ class Policy:
if self.algorithm in ['ECCGOST', \
'ECDSAP256SHA256', \
'ECDSAP384SHA384']:
'ECDSAP384SHA384', \
'ED25519', \
'ED448']:
self.ksk_keysize = None
self.zsk_keysize = None
......@@ -378,6 +382,18 @@ class dnssec_policy:
self.alg_policy['ECDSAP384SHA384'].ksk_keysize = None;
self.alg_policy['ECDSAP384SHA384'].zsk_keysize = None;
self.alg_policy['ED25519'] = copy(p)
self.alg_policy['ED25519'].algorithm = "ED25519"
self.alg_policy['ED25519'].name = "ED25519"
self.alg_policy['ED25519'].ksk_keysize = None;
self.alg_policy['ED25519'].zsk_keysize = None;
self.alg_policy['ED448'] = copy(p)
self.alg_policy['ED448'].algorithm = "ED448"
self.alg_policy['ED448'].name = "ED448"
self.alg_policy['ED448'].ksk_keysize = None;
self.alg_policy['ED448'].zsk_keysize = None;
if filename:
self.load(filename)
......
......@@ -76,7 +76,7 @@ SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz chain
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlvauto dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
emptyzones fetchlimit filter-aaaa formerr geoip glue gost
inline integrity ixfr keepalive @KEYMGR@ legacy limits
logfileconfig lwresd masterfile masterformat metadata mkeys
......
......@@ -61,6 +61,7 @@ MDIG=$TOP/Build/$VSCONF/mdig@EXEEXT@
NZD2NZF=$TOP/Build/$VSCONF/named-nzd2nzf@EXEEXT@
FSTRM_CAPTURE=@FSTRM_CAPTURE@
FEATURETEST=$TOP/Build/$VSCONF/feature-test@EXEEXT@
# to port WIRETEST=$TOP/Build/$VSCONF/wire_test@EXEEXT@
# this is given as argument to native WIN32 executables
RANDFILE=`cygpath -w $TOP/bin/tests/system/random.data`
......@@ -72,14 +73,17 @@ KEYDELETE=$TOP/Build/$VSCONF/keydelete@EXEEXT@
LWTEST=$TOP/Build/$VSCONF/lwtest@EXEEXT@
MAKEJOURNAL=$TOP/Build/$VSCONF/makejournal@EXEEXT@
PIPEQUERIES=$TOP/Build/$VSCONF/pipequeries@EXEEXT@
# to port SAMPLEUPDATE=$TOP/lib/samples/sample-update
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl additional addzone allow_query autosign builtin cacheclean case
catz checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlvauto dlz dlzexternal dname dns64 dnssec
@DNSTAP@ dscp dsdigest dyndb ecdsa ednscompliance emptyzones
SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlvauto dlz dlzexternal dname
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
ednscompliance emptyzones
fetchlimit filter-aaaa formerr forward geoip glue gost inline ixfr
keepalive @KEYMGR@ legacy limits logfileconfig lwresd masterfile
masterformat metadata mkeys names notify nslookup nsupdate
......@@ -90,6 +94,9 @@ SUBDIRS="acl additional addzone allow_query autosign builtin cacheclean case
tsiggss unknown upforwd verify views wildcard xfer xferquota
zero zonechecks"
# missing: chain integrity
# extra: dname ednscompliance forward
#Things that are different on Windows
KILL="/bin/kill -f"
DIFF="diff --strip-trailing-cr"
......
#!/bin/sh
#
# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
rm -f */K* */dsset-* */*.signed */trusted.conf
rm -f ns1/root.db
rm -f ns*/signer.err
rm -f dig.out*
rm -f */named.run
rm -f */named.memstats
rm -f ns*/named.lock
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id$ */
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db.signed";
};
include "trusted.conf";
; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id$
$TTL 300
. IN SOA fdupont.isc.org. a.root.servers.nil. (
2012040600 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
#!/bin/sh -e
#
# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=.
infile=root.db.in
zonefile=root.db
key1=`$KEYGEN -q -r $RANDFILE -a ED25519 -n zone $zone`
key2=`$KEYGEN -q -r $RANDFILE -a ED25519 -n zone -f KSK $zone`
#key2=`$KEYGEN -q -r $RANDFILE -a ED448 -n zone -f KSK $zone`
$DSFROMKEY -a sha-256 $key2.key > dsset-256
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
# Configure the resolving server with a trusted key.
cat $key1.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
' > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cd ../ns2 && $SHELL sign.sh
example.com. IN DNSKEY 257 3 15 l02Woi0iS8Aa25FQkUd9RMzZHJpBoRQwAQEX1SxZJA4=
Private-key-format: v1.2
Algorithm: 15 (ED25519)
PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI=
example.com. IN DNSKEY 257 3 15 zPnZ/QwEe7S8C5SPz2OfS5RR40ATk2/rYnE9xHIEijs=
Private-key-format: v1.2
Algorithm: 15 (ED25519)
PrivateKey: DSSF3o0s0f+ElWzj9E/Osxw8hLpk55chkmx0LYN5WiY=
; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id$
$TTL 3600
@ IN SOA fdupont.isc.org. ns.example.com. (
2012040600 ; serial
600 ; refresh
600 ; retry
1200 ; expire
3600 ; minimum
)
MX 10 mail.example.com.
NS ns.example.com.
ns.example.com. A 10.53.0.3
;
$INCLUDE Kexample.com.+015+03613.key
$INCLUDE Kexample.com.+015+35217.key
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id$ */
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";
#!/bin/sh -e
#
# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=example.com.
zonefile=example.com.db
starttime=20150729220000
endtime=20150819220000
for i in Xexample.com.+015+03613.key Xexample.com.+015+03613.private \
Xexample.com.+015+35217.key Xexample.com.+015+35217.private
do
cp $i `echo $i | sed s/X/K/`
done
$SIGNER -P -z -s $starttime -e $endtime -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
#!/bin/sh -e
#
# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
exec $SHELL ../testcrypto.sh eddsa
#!/bin/sh -e
#
# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
cd ns1 && $SHELL sign.sh
#!/bin/sh
#
# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# $Id$
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
n=0
rm -f dig.out.*
DIGOPTS="+tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p 5300"
# Check the example. domain
echo "I:checking that positive validation works ($n)"
ret=0
$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Check test vectors (RFC 8080 + errata)
echo "I:checking that test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -42,3 +42,9 @@ zone "ecc.example." {
file "ecc.example.db.signed";
allow-update { any; };
};
zone "ecx.example." {
type master;
file "ecx.example.db.signed";
allow-update { any; };
};
......@@ -10,18 +10,24 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
echo "I:(Native PKCS#11)" >&2
rsafail=0 eccfail=0
rsafail=0 eccfail=0 ecxfail=0
$SHELL ../testcrypto.sh -q rsa || rsafail=1
$SHELL ../testcrypto.sh -q ecdsa || eccfail=1
$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
if [ $rsafail = 0 -a $eccfail = 0 ]; then
echo both > supported
elif [ $rsafail = 1 -a $eccfail = 1 ]; then
if [ $rsafail = 1 -a $eccfail = 1 ]; then
echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2
exit 255
elif [ $rsafail = 0 ]; then
echo rsaonly > supported
else
echo ecconly > supported
fi
rm -f supported
touch supported
if [ $rsafail = 0 ]; then
echo rsa >> supported
fi
if [ $eccfail = 0 ]; then
echo ecc >> supported
fi
if [ $ecxfail = 0 ]; then
echo ecx >> supported
fi
......@@ -14,11 +14,10 @@ infile=ns1/example.db.in
/bin/echo -n ${HSMPIN:-1234}> pin
PWD=`pwd`
supported=`cat supported`
zone=rsa.example
zonefile=ns1/rsa.example.db
if [ "$supported" != "ecconly" ]; then
have_rsa=`grep rsa supported`
if [ "x$have_rsa" != "x" ]; then
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
......@@ -42,7 +41,8 @@ fi
zone=ecc.example
zonefile=ns1/ecc.example.db
if [ "$supported" != "rsaonly" ]; then
have_ecc=`grep ecc supported`
if [ "x$have_ecc" != "x" ]; then
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
$PK11GEN -a ECC -b 384 -l robie-ecc-ksk
......@@ -64,4 +64,32 @@ else
cp $infile ${zonefile}.signed
fi
zone=ecx.example
zonefile=ns1/ecx.example.db
have_ecx=`grep ecx supported`
if [ "x$have_ecx" != "x" ]; then
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
$PK11GEN -a ECX -b 256 -l robie-ecx-ksk
# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
ecxzsk1=`$KEYFRLAB -a ED25519 \
-l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example`
ecxzsk2=`$KEYFRLAB -a ED25519 \
-l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example`
ecxksk=`$KEYFRLAB -a ED25519 -f ksk \
-l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
# ecxksk=`$KEYFRLAB -a ED448 -f ksk \
# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
cat $infile $ecxzsk1.key $ecxksk.key > $zonefile
$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
> /dev/null 2> signer.err || cat signer.err
cp $ecxzsk2.key ns1/ecx.key
mv Kecx* ns1
else
# ECX not available and will not be tested; make a placeholder
cp $infile ${zonefile}.signed
fi
rm -f signer.err
......@@ -16,13 +16,19 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
status=0
ret=0