mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 22:15:20 +00:00
Add tests for key-store with engine_pkcs11
Add cases for each algorithm to test the interaction between dnssec-policy and engine_pkcs11. Ensure that named creates keys on startup. Also test dnssec-keygen when using a dnssec-policy with a PKCS#11 based key-store.
This commit is contained in:
Matthijs Mekking
@@ -18,18 +18,20 @@ set -e
|
||||
|
||||
rm -f dig.out.*
|
||||
rm -f dsset-*
|
||||
rm -f pin
|
||||
rm -f keyfromlabel.err.* keyfromlabel.out.*
|
||||
rm -f pkcs11-tool.err.* pkcs11-tool.out.*
|
||||
rm -f signer.out.*
|
||||
rm -f ns1/*.example.db ns1/*.example.db.signed
|
||||
rm -f ns1/*.kasp.db ns1/*.kasp.db.signed
|
||||
rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2
|
||||
rm -f ns1/dig.out.*
|
||||
rm -f ns1/K*
|
||||
rm -f ns1/keygen.out.*
|
||||
rm -f ns1/named.conf ns1/named.args ns1/named.run ns1/named.memstats
|
||||
rm -f ns1/pin
|
||||
rm -f ns1/update.cmd.*
|
||||
rm -f ns1/update.log.*
|
||||
rm -f ns1/verify.out.*
|
||||
rm -f ns1/zone.*.signed.jnl ns1/zone.*.signed.jbk
|
||||
rm -f ns1/zone.*.jnl ns1/zone.*.jbk
|
||||
|
||||
OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || echo_i "softhsm2-enginepkcs11 token not found for cleaning"
|
||||
|
||||
@@ -34,3 +34,17 @@ key rndc_key {
|
||||
controls {
|
||||
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
key-store "hsm" {
|
||||
directory ".";
|
||||
uri "pkcs11:token=softhsm2-enginepkcs11;pin-value=1234";
|
||||
};
|
||||
|
||||
key-store "pin" {
|
||||
directory ".";
|
||||
uri "pkcs11:token=softhsm2-enginepkcs11;pin-source=pin";
|
||||
};
|
||||
|
||||
key-store "disk" {
|
||||
directory "keys";
|
||||
};
|
||||
|
||||
@@ -18,8 +18,8 @@ set -e
|
||||
|
||||
OPENSSL_CONF= softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
|
||||
|
||||
printf '%s' "${HSMPIN:-1234}" >pin
|
||||
parse_openssl_config
|
||||
printf '%s' "${HSMPIN:-1234}" >ns1/pin
|
||||
PWD=$(pwd)
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
@@ -33,7 +33,7 @@ keygen() {
|
||||
|
||||
label="${id}-${zone}"
|
||||
p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
|
||||
OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
|
||||
OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/ns1/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
|
||||
}
|
||||
|
||||
keyfromlabel() {
|
||||
@@ -43,7 +43,7 @@ keyfromlabel() {
|
||||
dir="$4"
|
||||
shift 4
|
||||
|
||||
$KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
|
||||
$KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
|
||||
cat keyfromlabel.out.$zone.$id
|
||||
}
|
||||
|
||||
@@ -57,9 +57,10 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
|
||||
type=$(echo "$algtypebits" | cut -f 2 -d :)
|
||||
bits=$(echo "$algtypebits" | cut -f 3 -d :)
|
||||
|
||||
tld="example"
|
||||
if $SHELL ../testcrypto.sh $alg; then
|
||||
zone="$alg.example"
|
||||
zonefile="zone.$alg.example.db"
|
||||
zone="$alg.$tld"
|
||||
zonefile="zone.$alg.$tld.db"
|
||||
ret=0
|
||||
|
||||
echo_i "Generate keys $alg $type:$bits for zone $zone"
|
||||
@@ -111,6 +112,9 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
|
||||
cp "${ksk2}.key" "${ksk2}.ksk2"
|
||||
)
|
||||
|
||||
echo_i "Add zone $alg.kasp to named.conf"
|
||||
cp $infile ${dir}/zone.${alg}.kasp.db
|
||||
|
||||
echo_i "Add zone $zone to named.conf"
|
||||
cat >>"${dir}/named.conf" <<EOF
|
||||
zone "$zone" {
|
||||
@@ -119,6 +123,20 @@ zone "$zone" {
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
dnssec-policy "$alg" {
|
||||
keys {
|
||||
ksk key-store "hsm" lifetime unlimited algorithm ${alg};
|
||||
zsk key-store "pin" lifetime unlimited algorithm ${alg};
|
||||
};
|
||||
};
|
||||
|
||||
zone "${alg}.kasp" {
|
||||
type primary;
|
||||
file "zone.${alg}.kasp.db";
|
||||
dnssec-policy "$alg";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
EOF
|
||||
fi
|
||||
done
|
||||
|
||||
@@ -27,6 +27,26 @@ dig_with_opts() (
|
||||
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
|
||||
)
|
||||
|
||||
check_keys() {
|
||||
_zone=$1
|
||||
_expect=$2
|
||||
_ret=0
|
||||
_status=0
|
||||
_count=$(ls K*.key | grep "K${_zone}" | wc -l)
|
||||
|
||||
test "$_count" -eq "$_expect" || ret=1
|
||||
test "$_ret" -eq 0 || echo_i "failed (expected $_expect keys, got $_count)"
|
||||
_status=$((_status + _ret))
|
||||
|
||||
_ret=0
|
||||
_count=$(cat K${_zone}*.private | grep Label | wc -l)
|
||||
test "$_count" -eq "$_expect" || _ret=1
|
||||
test "$_ret" -eq 0 || echo_i "failed (expected Label metadata in key files)"
|
||||
_status=$((_status + _ret))
|
||||
|
||||
return $_status
|
||||
}
|
||||
|
||||
# Perform tests inside ns1 dir
|
||||
cd ns1
|
||||
|
||||
@@ -48,9 +68,7 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "Test key generation was successful for $zone ($n)"
|
||||
count=$(ls K*.key | grep "K${zone}" | wc -l)
|
||||
test "$count" -eq 4 || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
|
||||
check_keys $zone 4 || ret=1
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
@@ -157,6 +175,52 @@ EOF
|
||||
test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
|
||||
status=$((status + ret))
|
||||
|
||||
# Check dnssec-policy interaction.
|
||||
zone="${alg}.kasp"
|
||||
|
||||
# Basic checks if setup was successful (dnssec-policy).
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "Test key generation was successful for $zone ($n)"
|
||||
check_keys $zone 2 || ret=1
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "Test DNSKEY response for $zone ($n)"
|
||||
_dig_policy_dnskey() {
|
||||
dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
|
||||
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
|
||||
test $count -eq 2
|
||||
}
|
||||
retry_quiet 2 _dig_policy_dnskey || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed (expected 2 DNSKEY records)"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "Test SOA response for $zone ($n)"
|
||||
_dig_policy_soa() {
|
||||
dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
|
||||
awk '$4 == "RRSIG" && $5 == "SOA" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
|
||||
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
|
||||
test $numsigs -eq 1 || return 1
|
||||
return 0
|
||||
}
|
||||
retry_quiet 2 _dig_policy_soa || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed (expected a SOA RRSIG record)"
|
||||
status=$((status + ret))
|
||||
|
||||
# Check dnssec-keygen with dnssec-policy and key-store.
|
||||
zone="${alg}.keygen"
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "Test dnssec-keygen for $zone ($n)"
|
||||
$KEYGEN $ENGINE_ARG -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1
|
||||
check_keys $zone 2 || ret=1
|
||||
status=$((status + ret))
|
||||
|
||||
done
|
||||
|
||||
# Go back to main test dir.
|
||||
|
||||
Reference in New Issue
Block a user