Test dnssec-policy/hsm with multiple views

Add test cases for zones in different views that are using PKCS#11 tokens to store its keys. If it is using the same DNSSEC policy, only one PKCS#11 token should be created and the same key should be used for the zone in both views. If it is using a different DNSSEC policy, multiple PKCS#11 token should be created and each view should use their respective key.
2025-08-22 01:59:26 +00:00 · 2023-11-16 15:37:34 +01:00 · 2023-11-16 15:37:34 +01:00 · 89cf3049d4
commit 89cf3049d4
parent dd6cfb464f
6 changed files with 388 additions and 15 deletions
--- a/bin/tests/system/enginepkcs11/clean.sh
+++ b/bin/tests/system/enginepkcs11/clean.sh
@ -21,19 +21,21 @@ rm -f dsset-*
 rm -f keyfromlabel.err.* keyfromlabel.out.*
 rm -f pkcs11-tool.err.* pkcs11-tool.out.*
 rm -f signer.out.*
+rm -f ns*/*.kskid1 ns*/*.kskid2 ns*/*.zskid1 ns/*.zskid2
+rm -f ns*/dig.out.*
+rm -f ns*/K*
+rm -f ns*/keygen.out.*
+rm -f ns*/named.conf ns1/named.args ns1/named.run ns1/named.memstats
+rm -f ns*/pin
+rm -f ns*/update.cmd.*
+rm -f ns*/update.log.*
+rm -f ns*/verify.out.*
+rm -f ns*/zone.*.jnl ns1/zone.*.jbk
 rm -f ns1/*.example.db ns1/*.example.db.signed
 rm -f ns1/*.kasp.db ns1/*.kasp.db.signed
 rm -f ns1/*.split.db ns1/*.split.db.signed
-rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2
-rm -f ns1/dig.out.*
-rm -f ns1/K*
-rm -f ns1/keygen.out.*
-rm -f ns1/named.conf ns1/named.args ns1/named.run ns1/named.memstats
-rm -f ns1/pin
-rm -f ns1/update.cmd.*
-rm -f ns1/update.log.*
-rm -f ns1/verify.out.*
-rm -f ns1/zone.*.jnl ns1/zone.*.jbk
+rm -f ns2/*.views.db ns1/*.views.db.signed
 rm -rf ./ns1/keys/
+rm -rf ./ns2/keys/

 OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || echo_i "softhsm2-enginepkcs11 token not found for cleaning"
--- a/bin/tests/system/enginepkcs11/ns2/named.args.in
+++ b/bin/tests/system/enginepkcs11/ns2/named.args.in
@ -0,0 +1 @@
+@ENGINE_ARGS@ -D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152
--- a/bin/tests/system/enginepkcs11/ns2/named.conf.in
+++ b/bin/tests/system/enginepkcs11/ns2/named.conf.in
@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+};
+
+key "keyforview1" {
+        algorithm @DEFAULT_HMAC@;
+        secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+        algorithm @DEFAULT_HMAC@;
+        secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+key-store "hsm" {
+	directory ".";
+	uri "pkcs11:token=softhsm2-enginepkcs11;pin-value=1234";
+};
+
+key-store "hsm2" {
+	directory "keys";
+	uri "pkcs11:token=softhsm2-enginepkcs11;pin-value=1234";
+};
+
+key-store "pin" {
+	directory ".";
+	uri "pkcs11:token=softhsm2-enginepkcs11;pin-source=pin";
+};
+
+key-store "disk" {
+	directory "keys";
+};
+
--- a/bin/tests/system/enginepkcs11/ns2/template.db.in
+++ b/bin/tests/system/enginepkcs11/ns2/template.db.in
@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.2
+
+txt			TXT	"test"
--- a/bin/tests/system/enginepkcs11/setup.sh
+++ b/bin/tests/system/enginepkcs11/setup.sh
@ -24,11 +24,6 @@ parse_openssl_config
 printf '%s' "${HSMPIN:-1234}" >ns1/pin
 PWD=$(pwd)

-copy_setports ns1/named.conf.in ns1/named.conf
-sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns1/named.args.in >ns1/named.args
-
-mkdir ns1/keys
-
 keygen() {
  type="$1"
  bits="$2"
@ -52,6 +47,11 @@ keyfromlabel() {
 }

 # Setup ns1.
+copy_setports ns1/named.conf.in ns1/named.conf
+sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns1/named.args.in >ns1/named.args
+
+mkdir ns1/keys
+
 dir="ns1"
 infile="${dir}/template.db.in"
 for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
@ -161,3 +161,149 @@ zone "${alg}.split" {
 EOF
  fi
 done
+
+# Setup ns2 (with views).
+copy_setports ns2/named.conf.in ns2/named.conf
+sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns2/named.args.in >ns2/named.args
+
+mkdir ns2/keys
+
+dir="ns2"
+infile="${dir}/template.db.in"
+algtypebits="ecdsap256sha256:EC:prime256v1"
+alg=$(echo "$algtypebits" | cut -f 1 -d :)
+type=$(echo "$algtypebits" | cut -f 2 -d :)
+bits=$(echo "$algtypebits" | cut -f 3 -d :)
+tld="views"
+
+if $SHELL ../testcrypto.sh $alg; then
+  zone="$alg.$tld"
+  zonefile1="zone.$alg.$tld.view1.db"
+  zonefile2="zone.$alg.$tld.view2.db"
+  ret=0
+
+  echo_i "Generate keys $alg $type:$bits for zone $zone"
+  keygen $type $bits $zone enginepkcs11-zsk || ret=1
+  keygen $type $bits $zone enginepkcs11-ksk || ret=1
+  test "$ret" -eq 0 || exit 1
+
+  echo_i "Get ZSK $alg $zone $type:$bits"
+  zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir)
+  test -z "$zsk1" && exit 1
+
+  echo_i "Get KSK $alg $zone $type:$bits"
+  ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK)
+  test -z "$ksk1" && exit 1
+
+  (
+    cd $dir
+    zskid1=$(keyfile_to_key_id $zsk1)
+    kskid1=$(keyfile_to_key_id $ksk1)
+    echo "$zskid1" >$zone.zskid1
+    echo "$kskid1" >$zone.kskid1
+  )
+
+  echo_i "Sign zone with $ksk1 $zsk1"
+  cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile1}"
+  $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1
+  test "$ret" -eq 0 || exit 1
+
+  cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile2}"
+  $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1
+  test "$ret" -eq 0 || exit 1
+
+  echo_i "Generate successor keys $alg $type:$bits for zone $zone"
+  keygen $type $bits $zone enginepkcs11-zsk2 || ret=1
+  keygen $type $bits $zone enginepkcs11-ksk2 || ret=1
+  test "$ret" -eq 0 || exit 1
+
+  echo_i "Get ZSK $alg $id-$zone $type:$bits"
+  zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir)
+  test -z "$zsk2" && exit 1
+
+  echo_i "Get KSK $alg $id-$zone $type:$bits"
+  ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK)
+  test -z "$ksk2" && exit 1
+
+  (
+    cd $dir
+    zskid2=$(keyfile_to_key_id $zsk2)
+    kskid2=$(keyfile_to_key_id $ksk2)
+    echo "$zskid2" >$zone.zskid2
+    echo "$kskid2" >$zone.kskid2
+    cp "${zsk2}.key" "${zsk2}.zsk2"
+    cp "${ksk2}.key" "${ksk2}.ksk2"
+  )
+
+  echo_i "Add zone $alg.same-policy.$tld to named.conf"
+  cp $infile ${dir}/zone.${alg}.same-policy.view1.db
+  cp $infile ${dir}/zone.${alg}.same-policy.view2.db
+
+  echo_i "Add zone zone-with.different-policy.$tld to named.conf"
+  cp $infile ${dir}/zone.zone-with.different-policy.view1.db
+  cp $infile ${dir}/zone.zone-with.different-policy.view2.db
+
+  echo_i "Add zone $zone to named.conf"
+  cat >>"${dir}/named.conf" <<EOF
+dnssec-policy "$alg" {
+	keys {
+		csk key-store "hsm" lifetime unlimited algorithm ${alg};
+	};
+};
+
+dnssec-policy "rsasha256" {
+	keys {
+		csk key-store "hsm2" lifetime unlimited algorithm rsasha256 2048;
+	};
+};
+
+view "view1" {
+	match-clients { key "keyforview1"; };
+
+	zone "$zone" {
+		type primary;
+		file "${zonefile1}.signed";
+		allow-update { any; };
+	};
+
+	zone "${alg}.same-policy.${tld}" {
+		type primary;
+		file "zone.${alg}.same-policy.view1.db";
+		dnssec-policy "$alg";
+		allow-update { any; };
+	};
+
+	zone "zone-with.different-policy.${tld}" {
+		type primary;
+		file "zone.zone-with.different-policy.view1.db";
+		dnssec-policy "$alg";
+		allow-update { any; };
+	};
+};
+
+view "view2" {
+	match-clients { key "keyforview2"; };
+
+	zone "$zone" {
+		type primary;
+		file "${zonefile2}.signed";
+		allow-update { any; };
+	};
+
+	zone "${alg}.same-policy.${tld}" {
+		type primary;
+		file "zone.${alg}.same-policy.view2.db";
+		dnssec-policy "$alg";
+		allow-update { any; };
+	};
+
+	zone "zone-with.different-policy.${tld}" {
+		type primary;
+		file "zone.zone-with.different-policy.view2.db";
+		dnssec-policy "rsasha256";
+		allow-update { any; };
+	};
+};
+
+EOF
+fi
--- a/bin/tests/system/enginepkcs11/tests.sh
+++ b/bin/tests/system/enginepkcs11/tests.sh
@ -243,6 +243,150 @@ done
 # Go back to main test dir.
 cd ..

+# Perform tests inside ns2 dir
+cd ns2
+
+algtypebits="ecdsap256sha256:EC:prime256v1"
+alg=$(echo "$algtypebits" | cut -f 1 -d :)
+type=$(echo "$algtypebits" | cut -f 2 -d :)
+bits=$(echo "$algtypebits" | cut -f 3 -d :)
+zone="${alg}.views"
+zonefile1="zone.$alg.views.view1.db.signed"
+zonefile2="zone.$alg.views.view2.db.signed"
+
+skip=0
+if [ ! -f $zonefile1 ]; then
+  echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile1}"
+  skip=1
+fi
+
+if [ ! -f $zonefile2 ]; then
+  echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile2}"
+  skip=1
+fi
+
+if [ $skip -eq 0 ]; then
+  # Basic checks if setup was successful.
+  n=$((n + 1))
+  ret=0
+  echo_i "Test key generation was successful for $zone ($n)"
+  check_keys $zone 4 || ret=1
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test zone signing was successful for $zone in view1 ($n)"
+  $VERIFY -z -o $zone "${zonefile1}" >verify.out.$zone.view1.$n 2>&1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test zone signing was successful for $zone in view2 ($n)"
+  $VERIFY -z -o $zone "${zonefile2}" >verify.out.$zone.view2.$n 2>&1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
+  status=$((status + ret))
+
+  # Test dnssec-policy signing with keys stored in engine.
+  zone="${alg}.same-policy.views"
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test key generation was successful for $zone ($n)"
+  check_keys $zone 1 || ret=1
+  status=$((status + ret))
+
+  _dig_inview() {
+    _qtype="$1"
+    _alg="$2"
+    _tsig="$DEFAULT_HMAC:$3:$4"
+    dig_with_opts "$zone" @10.53.0.2 $_qtype -y "$_tsig" >dig.out.$zone.$n || return 1
+    awk -v cov="$_qtype" '$4 == "RRSIG" && $5 == cov { print $6 }' dig.out.$zone.$n >dig.out.alg.$zone.$n || return 1
+    numsigs=$(cat dig.out.alg.$zone.$n | wc -l)
+    test $numsigs -eq 1 || return 1
+    grep -w "$_alg" dig.out.alg.$zone.$n >/dev/null || return 1
+  }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test SOA is signed for $zone in view1 ($n)"
+  VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY="
+  retry_quiet 4 _dig_inview SOA 13 keyforview1 $VIEW1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test DNSKEY is signed for $zone in view1 ($n)"
+  retry_quiet 4 _dig_inview DNSKEY 13 keyforview1 $VIEW1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (DNSKEY RRset not signed)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test SOA is signed for $zone in view2 ($n)"
+  VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8="
+  retry_quiet 4 _dig_inview SOA 13 keyforview2 $VIEW2 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test DNSKEY is signed for $zone in view2 ($n)"
+  retry_quiet 4 _dig_inview DNSKEY 13 keyforview2 $VIEW2 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (DNSKEY RRset not signed)"
+  status=$((status + ret))
+
+  # Now test zone in different views using a different dnssec-policy.
+  zone="zone-with.different-policy.views"
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test key generation was successful for $zone in view1 ($n)"
+  # view1
+  check_keys $zone 1 || ret=1
+  status=$((status + ret))
+  # view2
+  echo_i "Test key generation was successful for $zone in view2 ($n)"
+  count=$(ls keys/K*.key | grep "K${zone}" | wc -l)
+  test "$count" -eq 1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (expected 1 key, got $count)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test SOA is signed for $zone in view1 ($n)"
+  VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY="
+  retry_quiet 4 _dig_inview SOA 13 keyforview1 $VIEW1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test DNSKEY is signed for $zone in view1 ($n)"
+  retry_quiet 4 _dig_inview DNSKEY 13 keyforview1 $VIEW1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (DNSKEY RRset not signed)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test SOA is signed for $zone in view2 ($n)"
+  VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8="
+  retry_quiet 4 _dig_inview SOA 8 keyforview2 $VIEW2 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test DNSKEY is signed for $zone in view2 ($n)"
+  retry_quiet 4 _dig_inview DNSKEY 8 keyforview2 $VIEW2 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (DNSKEY RRset not signed)"
+  status=$((status + ret))
+fi
+
+# Go back to main test dir.
+cd ..
+
 n=$((n + 1))
 ret=0
 echo_i "Checking for assertion failure in pk11_numbits()"
				`@ -0,0 +1 @@`
				`@ENGINE_ARGS@ -D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152`