diff --git a/CHANGES b/CHANGES index 62f5c2e2b3..3cc642d546 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5802. [test] Add system test to test engine_pkcs11. [GL !5727] + 5801. [bug] Log "quota reached" message when hard quota is reached when accepting a connection. [GL #3125] diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index b6a855f45e..c21ce5436f 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -114,6 +114,7 @@ TESTS += \ eddsa \ ednscompliance \ emptyzones \ + engine_pkcs11 \ filter-aaaa \ formerr \ geoip2 \ diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 817f1b976a..30dbbbbf63 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -80,6 +80,7 @@ cookie dlzexternal dnssec dyndb +engine_pkcs11 filter-aaaa kasp keyfromlabel diff --git a/bin/tests/system/engine_pkcs11/clean.sh b/bin/tests/system/engine_pkcs11/clean.sh new file mode 100644 index 0000000000..6440e2661b --- /dev/null +++ b/bin/tests/system/engine_pkcs11/clean.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +rm -f dig.out.* +rm -f dsset-* +rm -f pin +rm -f keyfromlabel.out.* +rm -f pkcs11-tool.out.* +rm -f signer.out.* +rm -f ns1/*.example.db ns1/*.example.db.signed +rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2 +rm -f ns1/dig.out.* +rm -f ns1/K* +rm -f ns1/named.conf ns1/named.run ns1/named.memstats +rm -f ns1/update.cmd.* +rm -f ns1/update.log.* +rm -f ns1/verify.out.* +rm -f ns1/zone.*.signed.jnl ns1/zone.*.signed.jbk + +softhsm2-util --delete-token --token "softhsm2-engine_pkcs11" >/dev/null 2>&1 || echo_i "softhsm2-engine_pkcs11 token not found for cleaning" diff --git a/bin/tests/system/engine_pkcs11/ns1/named.args b/bin/tests/system/engine_pkcs11/ns1/named.args new file mode 100644 index 0000000000..0382a63ccd --- /dev/null +++ b/bin/tests/system/engine_pkcs11/ns1/named.args @@ -0,0 +1 @@ +-E pkcs11 -D engine_pkcs11-ns1 -X named.lock -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/engine_pkcs11/ns1/named.conf.in b/bin/tests/system/engine_pkcs11/ns1/named.conf.in new file mode 100644 index 0000000000..8f2687d538 --- /dev/null +++ b/bin/tests/system/engine_pkcs11/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/engine_pkcs11/ns1/template.db.in b/bin/tests/system/engine_pkcs11/ns1/template.db.in new file mode 100644 index 0000000000..7941903808 --- /dev/null +++ b/bin/tests/system/engine_pkcs11/ns1/template.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "test" + diff --git a/bin/tests/system/engine_pkcs11/prereq.sh b/bin/tests/system/engine_pkcs11/prereq.sh new file mode 100644 index 0000000000..296452b402 --- /dev/null +++ b/bin/tests/system/engine_pkcs11/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then + exit 0 +fi + +echo_i "skip: softhsm2-util not available" +exit 255 diff --git a/bin/tests/system/engine_pkcs11/setup.sh b/bin/tests/system/engine_pkcs11/setup.sh new file mode 100644 index 0000000000..2f2f6e1100 --- /dev/null +++ b/bin/tests/system/engine_pkcs11/setup.sh @@ -0,0 +1,125 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-engine_pkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' + +printf '%s' "${HSMPIN:-1234}" > pin +PWD=$(pwd) + +copy_setports ns1/named.conf.in ns1/named.conf + +keygen() { + type="$1" + bits="$2" + zone="$3" + id="$4" + + label="${id}-${zone}" + p11id=$(echo "${label}" | sha1sum - | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-engine_pkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 +} + +keyfromlabel() { + alg="$1" + zone="$2" + id="$3" + dir="$4" + shift 4 + + $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-engine_pkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1 + cat keyfromlabel.out.$zone.$id +} + + +# Setup ns1. +dir="ns1" +infile="${dir}/template.db.in" +for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 + # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 +do + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + + if $SHELL ../testcrypto.sh $alg; then + zone="$alg.example" + zonefile="zone.$alg.example.db" + ret=0 + + echo_i "Generate keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk || ret=1 + keygen $type $bits $zone enginepkcs11-ksk || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $zone $type:$bits" + zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) + test -z "$zsk1" && exit 1 + + echo_i "Get KSK $alg $zone $type:$bits" + ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) + test -z "$ksk1" && exit 1 + + ( + cd $dir + zskid1=$(keyfile_to_key_id $zsk1) + kskid1=$(keyfile_to_key_id $ksk1) + echo "$zskid1" > $zone.zskid1 + echo "$kskid1" > $zone.kskid1 + ) + + echo_i "Sign zone with $ksk1 $zsk1" + cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}" + $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Generate successor keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 + keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $id-$zone $type:$bits" + zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) + test -z "$zsk2" && exit 1 + + echo_i "Get KSK $alg $id-$zone $type:$bits" + ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) + test -z "$ksk2" && exit 1 + + ( + cd $dir + zskid2=$(keyfile_to_key_id $zsk2) + kskid2=$(keyfile_to_key_id $ksk2) + echo "$zskid2" > $zone.zskid2 + echo "$kskid2" > $zone.kskid2 + cp "${zsk2}.key" "${zsk2}.zsk2" + cp "${ksk2}.key" "${ksk2}.ksk2" + ) + + echo_i "Add zone $zone to named.conf" + cat >> "${dir}/named.conf" < verify.out.$zone.$n 2>&1 || ret=1 + test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" + status=$((status+ret)) + + # Test inline signing with keys stored in engine. + zskid1=$(cat "${zone}.zskid1") + zskid2=$(cat "${zone}.zskid2") + + n=$((n+1)) + ret=0 + echo_i "Test inline signing for $zone ($n)" + dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 1 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 + test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" + status=$((status+ret)) + + + n=$((n+1)) + ret=0 + echo_i "Dynamically update $zone, add new zsk ($n)" + zsk2=$(grep -v ';' K${zone}.*.zsk2) + cat > "update.cmd.zsk.$zone.$n" < "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status+ret)) + + n=$((n+1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing ($n)" + _dig_dnskey() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 3 + ) + retry_quiet 10 _dig_dnskey || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" + status=$((status+ret)) + + n=$((n+1)) + ret=0 + echo_i "Test SOA response for $zone after inline signing ($n)" + _dig_soa() ( + dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 + grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_soa || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" + status=$((status+ret)) + + # Test inline signing with keys stored in engine (key signing). + kskid1=$(cat "${zone}.kskid1") + kskid2=$(cat "${zone}.kskid2") + + n=$((n+1)) + ret=0 + echo_i "Dynamically update $zone, add new ksk ($n)" + ksk2=$(grep -v ';' K${zone}.*.ksk2) + cat > "update.cmd.ksk.$zone.$n" < "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status+ret)) + + n=$((n+1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" + _dig_dnskey_ksk() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 4 || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 + grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_dnskey_ksk || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" + status=$((status+ret)) + +done + +# Go back to main test dir. +cd .. + +# TODO: Checking for assertion failure in pk11_numbits + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1