Add system test for engine_pkcs11

Add a system test for engine_pkcs11 interactions that replaces the
tests that are done in the native PKCS#11 system test.

The native PKCS#11 code was removed in 9.17 but without copying the
pkcs11 system test.

CHANGES

@@ -1,3 +1,5 @@
+5802.	[test]		Add system test to test engine_pkcs11. [GL !5727]
+
 5801.	[bug]		Log "quota reached" message when hard quota
 			is reached when accepting a connection. [GL #3125]
 

bin/tests/system/Makefile.am

@@ -114,6 +114,7 @@ TESTS +=			\
 	eddsa			\
 	ednscompliance		\
 	emptyzones		\
+	engine_pkcs11		\
 	filter-aaaa		\
 	formerr			\
 	geoip2			\

bin/tests/system/conf.sh.in

@@ -80,6 +80,7 @@ cookie
 dlzexternal
 dnssec
 dyndb
+engine_pkcs11
 filter-aaaa
 kasp
 keyfromlabel

bin/tests/system/engine_pkcs11/clean.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+rm -f dig.out.*
+rm -f dsset-*
+rm -f pin
+rm -f keyfromlabel.out.*
+rm -f pkcs11-tool.out.*
+rm -f signer.out.*
+rm -f ns1/*.example.db ns1/*.example.db.signed
+rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2
+rm -f ns1/dig.out.*
+rm -f ns1/K*
+rm -f ns1/named.conf ns1/named.run ns1/named.memstats
+rm -f ns1/update.cmd.*
+rm -f ns1/update.log.*
+rm -f ns1/verify.out.*
+rm -f ns1/zone.*.signed.jnl ns1/zone.*.signed.jbk
+
+softhsm2-util --delete-token --token "softhsm2-engine_pkcs11" >/dev/null 2>&1 || echo_i "softhsm2-engine_pkcs11 token not found for cleaning"

bin/tests/system/engine_pkcs11/ns1/named.args

@@ -0,0 +1 @@
+-E pkcs11 -D engine_pkcs11-ns1 -X named.lock -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152

bin/tests/system/engine_pkcs11/ns1/named.conf.in

@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};

bin/tests/system/engine_pkcs11/ns1/template.db.in

@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"test"
+

bin/tests/system/engine_pkcs11/prereq.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then
+	exit 0
+fi
+
+echo_i "skip: softhsm2-util not available"
+exit 255

bin/tests/system/engine_pkcs11/setup.sh

@@ -0,0 +1,125 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-engine_pkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
+
+printf '%s' "${HSMPIN:-1234}" > pin
+PWD=$(pwd)
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+keygen() {
+	type="$1"
+	bits="$2"
+	zone="$3"
+	id="$4"
+
+	label="${id}-${zone}"
+	p11id=$(echo "${label}" | sha1sum - | awk '{print $1}')
+	pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-engine_pkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1
+}
+
+keyfromlabel() {
+        alg="$1"
+        zone="$2"
+        id="$3"
+	dir="$4"
+        shift 4
+
+	$KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-engine_pkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1
+	cat keyfromlabel.out.$zone.$id
+}
+
+
+# Setup ns1.
+dir="ns1"
+infile="${dir}/template.db.in"
+for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
+		   ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
+		   # Edwards curves are not yet supported by OpenSC
+		   # ed25519:EC:edwards25519 ed448:EC:edwards448
+do
+	alg=$(echo "$algtypebits" | cut -f 1 -d :)
+	type=$(echo "$algtypebits" | cut -f 2 -d :)
+	bits=$(echo "$algtypebits" | cut -f 3 -d :)
+
+	if $SHELL ../testcrypto.sh $alg; then
+		zone="$alg.example"
+		zonefile="zone.$alg.example.db"
+		ret=0
+
+		echo_i "Generate keys $alg $type:$bits for zone $zone"
+		keygen $type $bits $zone enginepkcs11-zsk || ret=1
+		keygen $type $bits $zone enginepkcs11-ksk || ret=1
+		test "$ret" -eq 0 || exit 1
+
+		echo_i "Get ZSK $alg $zone $type:$bits"
+		zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir)
+		test -z "$zsk1" && exit 1
+
+		echo_i "Get KSK $alg $zone $type:$bits"
+		ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK)
+		test -z "$ksk1" && exit 1
+
+		(
+			cd $dir
+			zskid1=$(keyfile_to_key_id $zsk1)
+			kskid1=$(keyfile_to_key_id $ksk1)
+			echo "$zskid1" > $zone.zskid1
+			echo "$kskid1" > $zone.kskid1
+		)
+
+		echo_i "Sign zone with $ksk1 $zsk1"
+		cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}"
+		$SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1
+		test "$ret" -eq 0 || exit 1
+
+		echo_i "Generate successor keys $alg $type:$bits for zone $zone"
+		keygen $type $bits $zone enginepkcs11-zsk2 || ret=1
+		keygen $type $bits $zone enginepkcs11-ksk2 || ret=1
+		test "$ret" -eq 0 || exit 1
+
+		echo_i "Get ZSK $alg $id-$zone $type:$bits"
+		zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir)
+		test -z "$zsk2" && exit 1
+
+		echo_i "Get KSK $alg $id-$zone $type:$bits"
+		ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK)
+		test -z "$ksk2" && exit 1
+
+		(
+			cd $dir
+			zskid2=$(keyfile_to_key_id $zsk2)
+			kskid2=$(keyfile_to_key_id $ksk2)
+			echo "$zskid2" > $zone.zskid2
+			echo "$kskid2" > $zone.kskid2
+			cp "${zsk2}.key" "${zsk2}.zsk2"
+			cp "${ksk2}.key" "${ksk2}.ksk2"
+		)
+
+		echo_i "Add zone $zone to named.conf"
+		cat >> "${dir}/named.conf" <<EOF
+zone "$zone" {
+	type primary;
+	file "${zonefile}.signed";
+	allow-update { any; };
+};
+
+EOF
+        fi
+done

bin/tests/system/engine_pkcs11/tests.sh

@@ -0,0 +1,168 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+PWD=$(pwd)
+
+status=0
+ret=0
+n=0
+
+dig_with_opts() (
+	$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+)
+
+# Perform tests inside ns1 dir
+cd ns1
+
+for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
+		   ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
+		   # Edwards curves are not yet supported by OpenSC
+		   # ed25519:EC:edwards25519 ed448:EC:edwards448
+do
+	alg=$(echo "$algtypebits" | cut -f 1 -d :)
+	type=$(echo "$algtypebits" | cut -f 2 -d :)
+	bits=$(echo "$algtypebits" | cut -f 3 -d :)
+	zone="${alg}.example"
+	zonefile="zone.${zone}.db.signed"
+
+        if [ ! -f $zonefile ]; then
+		echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
+		continue
+	fi
+
+	# Basic checks if setup was successful.
+	n=$((n+1))
+	ret=0
+	echo_i "Test key generation was successful for $zone ($n)"
+	count=$(ls K*.key | grep "K${zone}" | wc -l)
+	test "$count" -eq 4 || ret=1
+	test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
+	status=$((status+ret))
+
+	n=$((n+1))
+	ret=0
+	echo_i "Test zone signing was successful for $zone ($n)"
+	$VERIFY -z -o $zone "${zonefile}" > verify.out.$zone.$n 2>&1 || ret=1
+	test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
+	status=$((status+ret))
+
+	# Test inline signing with keys stored in engine.
+	zskid1=$(cat "${zone}.zskid1")
+	zskid2=$(cat "${zone}.zskid2")
+
+	n=$((n+1))
+	ret=0
+	echo_i "Test inline signing for $zone ($n)"
+	dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1
+	awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
+	numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+	test $numsigs -eq 1 || return 1
+	grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
+	test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
+	status=$((status+ret))
+
+
+	n=$((n+1))
+	ret=0
+	echo_i "Dynamically update $zone, add new zsk ($n)"
+	zsk2=$(grep -v ';' K${zone}.*.zsk2)
+	cat > "update.cmd.zsk.$zone.$n" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $zone
+update add $zsk2
+send
+EOF
+
+	$NSUPDATE -v > "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1
+	test "$ret" -eq 0 || echo_i "failed (update failed)"
+	status=$((status+ret))
+
+	n=$((n+1))
+	ret=0
+	echo_i "Test DNSKEY response for $zone after inline signing ($n)"
+	_dig_dnskey() (
+		dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
+		count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
+		test $count -eq 3
+	)
+	retry_quiet 10 _dig_dnskey || ret=1
+	test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
+	status=$((status+ret))
+
+	n=$((n+1))
+	ret=0
+	echo_i "Test SOA response for $zone after inline signing ($n)"
+	_dig_soa() (
+		dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1
+		awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
+		numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+		test $numsigs -eq 2 || return 1
+		grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
+		grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
+		return 0
+	)
+	retry_quiet 10 _dig_soa || ret=1
+	test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
+	status=$((status+ret))
+
+	# Test inline signing with keys stored in engine (key signing).
+	kskid1=$(cat "${zone}.kskid1")
+	kskid2=$(cat "${zone}.kskid2")
+
+	n=$((n+1))
+	ret=0
+	echo_i "Dynamically update $zone, add new ksk ($n)"
+	ksk2=$(grep -v ';' K${zone}.*.ksk2)
+	cat > "update.cmd.ksk.$zone.$n" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $zone
+update add $ksk2
+send
+EOF
+
+	$NSUPDATE -v > "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1
+	test "$ret" -eq 0 || echo_i "failed (update failed)"
+	status=$((status+ret))
+
+	n=$((n+1))
+	ret=0
+	echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
+	_dig_dnskey_ksk() (
+		dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
+		count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
+		test $count -eq 4 || return 1
+		awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1
+		numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+		test $numsigs -eq 2 || return 1
+		grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
+		grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
+		return 0
+	)
+	retry_quiet 10 _dig_dnskey_ksk || ret=1
+	test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
+	status=$((status+ret))
+
+done
+
+# Go back to main test dir.
+cd ..
+
+# TODO: Checking for assertion failure in pk11_numbits
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1