Fix "pkcs11" system test

- Define the SLOT environment variable before starting the test.  This
    variable defaults to 0 and that does not work with SoftHSM 2.

  - The system test expects the PIN environment variable to be set to
    "1234" while bin/tests/prepare-softhsm2.sh sets it to "0000".
    Update bin/tests/prepare-softhsm2.sh so that it sets the PIN to
    "1234".

  - Move contents of bin/tests/system/pkcs11/prereq.sh to
    bin/tests/system/pkcs11/setup.sh as the former was creating a file
    called "supported" that was getting removed by the latter before
    bin/tests/system/pkcs11/tests.sh could access it.

  - Fix typo in "have_ecx".

.gitlab-ci.yml

@@ -259,7 +259,8 @@ stages:
     fi
 
 .setup_softhsm: &setup_softhsm |
-    sh -x bin/tests/prepare-softhsm2.sh
+    export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh)
+    test -n "${SLOT}" && test "${SLOT}" -gt 0
 
 .system_test: &system_test_job
   <<: *default_triggering_rules

bin/tests/prepare-softhsm2.sh

@@ -15,6 +15,6 @@ if [ -n "${SOFTHSM2_CONF}" ] && command -v softhsm2-util >/dev/null; then
     echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}"
     echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}"
     echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}"
-    softhsm2-util --init-token --free --pin 0000 --so-pin 0000 --label "softhsm2";
+    softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
 fi
 exit 0

bin/tests/system/pkcs11/clean.sh

@@ -9,9 +9,12 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
+set -e
+
 rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
 rm -f dig.out* pin upd.log*
 rm -f ns1/*.key ns1/named.memstats
 rm -f supported
+rm -f ns*/named.run
 rm -f ns*/named.lock
 rm -f ns*/managed-keys.bind*

bin/tests/system/pkcs11/prereq.sh

@@ -1,26 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-echo "I:(Native PKCS#11)" >&2
-ecxfail=0
-
-$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
-
-rm -f supported
-touch supported
-echo rsa >> supported
-echo ecc >> supported
-if [ $ecxfail = 0 ]; then
-	echo ecx >> supported
-fi

bin/tests/system/pkcs11/setup.sh

@@ -9,33 +9,49 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
+set -e
+
 SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
 . $SYSTEMTESTTOP/conf.sh
 
+echo "I:(Native PKCS#11)" >&2
+ecxfail=0
+
+$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
+
+rm -f supported
+touch supported
+echo rsa >> supported
+echo ecc >> supported
+if [ $ecxfail = 0 ]; then
+	echo ecx >> supported
+fi
+
 infile=ns1/example.db.in
 
-/bin/echo -n ${HSMPIN:-1234}> pin
-PWD=`pwd`
+printf '%s' "${HSMPIN:-1234}" > pin
+PWD=$(pwd)
 
 zone=rsa.example
 zonefile=ns1/rsa.example.db
-have_rsa=`grep rsa supported`
+have_rsa=$(grep rsa supported || true)
 if [ "x$have_rsa" != "x" ]; then
     $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
     $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
     $PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
 
-    rsazsk1=`$KEYFRLAB -a RSASHA1 \
-            -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example`
-    rsazsk2=`$KEYFRLAB -a RSASHA1 \
-            -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example`
-    rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
-            -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example`
+    rsazsk1=$($KEYFRLAB -a RSASHA1 \
+            -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example)
+    rsazsk2=$($KEYFRLAB -a RSASHA1 \
+            -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example)
+    rsaksk=$($KEYFRLAB -a RSASHA1 -f ksk \
+            -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example)
 
-    cat $infile $rsazsk1.key $rsaksk.key > $zonefile
+    cat $infile "$rsazsk1".key "$rsaksk".key > $zonefile
     $SIGNER -a -P -g -o $zone $zonefile \
             > /dev/null 2> signer.err || cat signer.err
-    cp $rsazsk2.key ns1/rsa.key
+    cp "$rsazsk2".key ns1/rsa.key
     mv Krsa* ns1
 else
     # RSA not available and will not be tested; make a placeholder
@@ -44,23 +60,23 @@ fi
 
 zone=ecc.example
 zonefile=ns1/ecc.example.db
-have_ecc=`grep ecc supported`
+have_ecc=$(grep ecc supported || true)
 if [ "x$have_ecc" != "x" ]; then
     $PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
     $PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
     $PK11GEN -a ECC -b 384 -l robie-ecc-ksk
 
-    ecczsk1=`$KEYFRLAB -a ECDSAP256SHA256 \
-            -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example`
-    ecczsk2=`$KEYFRLAB -a ECDSAP256SHA256 \
-            -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example`
-    eccksk=`$KEYFRLAB -a ECDSAP384SHA384 -f ksk \
-            -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example`
+    ecczsk1=$($KEYFRLAB -a ECDSAP256SHA256 \
+            -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example)
+    ecczsk2=$($KEYFRLAB -a ECDSAP256SHA256 \
+            -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example)
+    eccksk=$($KEYFRLAB -a ECDSAP384SHA384 -f ksk \
+            -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example)
 
-    cat $infile $ecczsk1.key $eccksk.key > $zonefile
+    cat $infile "$ecczsk1".key "$eccksk".key > $zonefile
     $SIGNER -a -P -g -o $zone $zonefile \
         > /dev/null 2> signer.err || cat signer.err
-    cp $ecczsk2.key ns1/ecc.key
+    cp "$ecczsk2".key ns1/ecc.key
     mv Kecc* ns1
 else
     # ECC not available and will not be tested; make a placeholder
@@ -69,26 +85,26 @@ fi
 
 zone=ecx.example
 zonefile=ns1/ecx.example.db
-have_ecx=`grep ecx supported`
+have_ecx=$(grep ecx supported || true)
 if [ "x$have_ecx" != "x" ]; then
     $PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
     $PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
     $PK11GEN -a ECX -b 256 -l robie-ecx-ksk
 #   $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
 
-    ecxzsk1=`$KEYFRLAB -a ED25519 \
-            -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example`
-    ecxzsk2=`$KEYFRLAB -a ED25519 \
-            -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example`
-    ecxksk=`$KEYFRLAB -a ED25519 -f ksk \
-            -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
+    ecxzsk1=$($KEYFRLAB -a ED25519 \
+            -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example)
+    ecxzsk2=$($KEYFRLAB -a ED25519 \
+            -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example)
+    ecxksk=$($KEYFRLAB -a ED25519 -f ksk \
+            -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example)
 #   ecxksk=`$KEYFRLAB -a ED448 -f ksk \
 #           -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
 
-    cat $infile $ecxzsk1.key $ecxksk.key > $zonefile
+    cat $infile "$ecxzsk1".key "$ecxksk".key > $zonefile
     $SIGNER -a -P -g -o $zone $zonefile \
         > /dev/null 2> signer.err || cat signer.err
-    cp $ecxzsk2.key ns1/ecx.key
+    cp "$ecxzsk2".key ns1/ecx.key
     mv Kecx* ns1
 else
     # ECX not available and will not be tested; make a placeholder

bin/tests/system/pkcs11/tests.sh

@@ -9,24 +9,29 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
+set -e
+
 SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
 . $SYSTEMTESTTOP/conf.sh
 
-DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+dig_with_opts() {
+    $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300 "$@"
+}
 
 status=0
 ret=0
 
 algs=""
-have_rsa=`grep rsa supported`
+have_rsa=$(grep rsa supported || true)
 if [ "x$have_rsa" != "x" ]; then
     algs="rsa "
 fi
-have_ecc=`grep ecc supported`
+have_ecc=$(grep ecc supported || true)
 if [ "x$have_ecc" != "x" ]; then
     algs=$algs"ecc "
 fi
-have_ecx=`grep ecc supported`
+have_ecx=$(grep ecx supported || true)
 if [ "x$have_ecx" != "x" ]; then
     algs=$algs"ecx "
 fi
@@ -34,54 +39,54 @@ fi
 for alg in $algs; do
     zonefile=ns1/$alg.example.db 
     echo "I:testing PKCS#11 key generation ($alg)"
-    count=`$PK11LIST | grep robie-$alg-ksk | wc -l`
-    if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+    count=$($PK11LIST | grep -c "robie-$alg-ksk" || true)
+    if [ "$count" -ne 2 ]; then echo "I:failed"; status=1; fi
 
     echo "I:testing offline signing with PKCS#11 keys ($alg)"
 
-    count=`grep RRSIG $zonefile.signed | wc -l`
-    if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+    count=$(grep -c RRSIG "$zonefile.signed" || true)
+    if [ "$count" -ne 12 ]; then echo "I:failed"; status=1; fi
 
     echo "I:testing inline signing with PKCS#11 keys ($alg)"
 
-    $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg.0 || ret=1
-    if [ $ret != 0 ]; then echo "I:failed"; fi
-    status=`expr $status + $ret`
-    count0=`grep RRSIG dig.out.$alg.0 | wc -l`
+    dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg.0" || ret=1
+    if [ $ret -ne 0 ]; then echo "I:failed"; fi
+    status=$((status + ret))
+    count0=$(grep -c RRSIG "dig.out.$alg.0" || true)
 
-    $NSUPDATE -v > upd.log.$alg <<END || status=1
+    $NSUPDATE -v > "upd.log.$alg" <<END || status=1
 server 10.53.0.1 5300
 ttl 300
 zone $alg.example.
-update add `grep -v ';' ns1/${alg}.key`
+update add $(grep -v ';' "ns1/${alg}.key" || true)
 send
 END
 
     echo "I:waiting 20 seconds for key changes to take effect"
     sleep 20
 
-    $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg || ret=1
-    if [ $ret != 0 ]; then echo "I:failed"; fi
-    status=`expr $status + $ret`
-    count=`grep RRSIG dig.out.$alg | wc -l`
-    if [ $count -le $count0 ]; then echo "I:failed"; status=1; fi
+    dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg" || ret=1
+    if [ $ret -ne 0 ]; then echo "I:failed"; fi
+    status=$((status + ret))
+    count=$(grep -c RRSIG "dig.out.$alg" || true)
+    if [ "$count" -le "$count0" ]; then echo "I:failed"; status=1; fi
 
     echo "I:testing PKCS#11 key destroy ($alg)"
     ret=0
-    $PK11DEL -l robie-$alg-ksk -w0 > /dev/null 2>&1 || ret=1
-    $PK11DEL -l robie-$alg-zsk1 -w0 > /dev/null 2>&1 || ret=1
+    $PK11DEL -l "robie-$alg-ksk" -w0 > /dev/null 2>&1 || ret=1
+    $PK11DEL -l "robie-$alg-zsk1" -w0 > /dev/null 2>&1 || ret=1
     case $alg in
         rsa) id=02 ;;
         ecc) id=04 ;;
 	ecx) id=06 ;;
     esac
     $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
-    if [ $ret != 0 ]; then echo "I:failed"; fi
-    status=`expr $status + $ret`
-    count=`$PK11LIST | grep robie-$alg | wc -l`
-    if [ $count != 0 ]; then echo "I:failed"; fi
-    status=`expr $status + $count`
+    if [ $ret -ne 0 ]; then echo "I:failed"; fi
+    status=$((status + ret))
+    count=$($PK11LIST | grep -c "robie-$alg" || true)
+    if [ "$count" -ne 0 ]; then echo "I:failed"; fi
+    status=$((status + count))
 done
 
 echo "I:exit status: $status"
-[ $status -eq 0 ] || exit 1
+[ "$status" -eq 0 ] || exit 1

util/copyrights

@@ -883,7 +883,6 @@
 ./bin/tests/system/pipelined/setup.sh		SH	2014,2015,2016,2017,2018,2019,2020
 ./bin/tests/system/pipelined/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020
 ./bin/tests/system/pkcs11/clean.sh		SH	2010,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/pkcs11/prereq.sh		SH	2010,2012,2014,2016,2017,2018,2019,2020
 ./bin/tests/system/pkcs11/setup.sh		SH	2010,2012,2013,2014,2016,2017,2018,2019,2020
 ./bin/tests/system/pkcs11/tests.sh		SH	2010,2012,2014,2016,2017,2018,2019,2020
 ./bin/tests/system/pkcs11/usepkcs11		X	2010,2018,2019,2020