Add tests for key-store with engine_pkcs11

Add cases for each algorithm to test the interaction between
dnssec-policy and engine_pkcs11. Ensure that named creates keys on
startup.

Also test dnssec-keygen when using a dnssec-policy with a PKCS#11
based key-store.

bin/tests/system/enginepkcs11/clean.sh

@@ -18,18 +18,20 @@ set -e
 
 rm -f dig.out.*
 rm -f dsset-*
-rm -f pin
 rm -f keyfromlabel.err.* keyfromlabel.out.*
 rm -f pkcs11-tool.err.* pkcs11-tool.out.*
 rm -f signer.out.*
 rm -f ns1/*.example.db ns1/*.example.db.signed
+rm -f ns1/*.kasp.db ns1/*.kasp.db.signed
 rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2
 rm -f ns1/dig.out.*
 rm -f ns1/K*
+rm -f ns1/keygen.out.*
 rm -f ns1/named.conf ns1/named.args ns1/named.run ns1/named.memstats
+rm -f ns1/pin
 rm -f ns1/update.cmd.*
 rm -f ns1/update.log.*
 rm -f ns1/verify.out.*
-rm -f ns1/zone.*.signed.jnl ns1/zone.*.signed.jbk
+rm -f ns1/zone.*.jnl ns1/zone.*.jbk
 
 OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || echo_i "softhsm2-enginepkcs11 token not found for cleaning"

bin/tests/system/enginepkcs11/ns1/named.conf.in

@@ -34,3 +34,17 @@ key rndc_key {
 controls {
 	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
+
+key-store "hsm" {
+	directory ".";
+	uri "pkcs11:token=softhsm2-enginepkcs11;pin-value=1234";
+};
+
+key-store "pin" {
+	directory ".";
+	uri "pkcs11:token=softhsm2-enginepkcs11;pin-source=pin";
+};
+
+key-store "disk" {
+	directory "keys";
+};

bin/tests/system/enginepkcs11/setup.sh

@@ -18,8 +18,8 @@ set -e
 
 OPENSSL_CONF= softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
 
-printf '%s' "${HSMPIN:-1234}" >pin
 parse_openssl_config
+printf '%s' "${HSMPIN:-1234}" >ns1/pin
 PWD=$(pwd)
 
 copy_setports ns1/named.conf.in ns1/named.conf
@@ -33,7 +33,7 @@ keygen() {
 
   label="${id}-${zone}"
   p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
-  OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
+  OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/ns1/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
 }
 
 keyfromlabel() {
@@ -43,7 +43,7 @@ keyfromlabel() {
   dir="$4"
   shift 4
 
-  $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
+  $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
   cat keyfromlabel.out.$zone.$id
 }
 
@@ -57,9 +57,10 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
   type=$(echo "$algtypebits" | cut -f 2 -d :)
   bits=$(echo "$algtypebits" | cut -f 3 -d :)
 
+  tld="example"
   if $SHELL ../testcrypto.sh $alg; then
-    zone="$alg.example"
+    zone="$alg.$tld"
-    zonefile="zone.$alg.example.db"
+    zonefile="zone.$alg.$tld.db"
     ret=0
 
     echo_i "Generate keys $alg $type:$bits for zone $zone"
@@ -111,6 +112,9 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
       cp "${ksk2}.key" "${ksk2}.ksk2"
     )
 
+    echo_i "Add zone $alg.kasp to named.conf"
+    cp $infile ${dir}/zone.${alg}.kasp.db
+
     echo_i "Add zone $zone to named.conf"
     cat >>"${dir}/named.conf" <<EOF
 zone "$zone" {
@@ -119,6 +123,20 @@ zone "$zone" {
 	allow-update { any; };
 };
 
+dnssec-policy "$alg" {
+	keys {
+		ksk key-store "hsm" lifetime unlimited algorithm ${alg};
+		zsk key-store "pin" lifetime unlimited algorithm ${alg};
+	};
+};
+
+zone "${alg}.kasp" {
+	type primary;
+	file "zone.${alg}.kasp.db";
+	dnssec-policy "$alg";
+	allow-update { any; };
+};
+
 EOF
   fi
 done

bin/tests/system/enginepkcs11/tests.sh

@@ -27,6 +27,26 @@ dig_with_opts() (
   $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
 )
 
+check_keys() {
+  _zone=$1
+  _expect=$2
+  _ret=0
+  _status=0
+  _count=$(ls K*.key | grep "K${_zone}" | wc -l)
+
+  test "$_count" -eq "$_expect" || ret=1
+  test "$_ret" -eq 0 || echo_i "failed (expected $_expect keys, got $_count)"
+  _status=$((_status + _ret))
+
+  _ret=0
+  _count=$(cat K${_zone}*.private | grep Label | wc -l)
+  test "$_count" -eq "$_expect" || _ret=1
+  test "$_ret" -eq 0 || echo_i "failed (expected Label metadata in key files)"
+  _status=$((_status + _ret))
+
+  return $_status
+}
+
 # Perform tests inside ns1 dir
 cd ns1
 
@@ -48,9 +68,7 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
   n=$((n + 1))
   ret=0
   echo_i "Test key generation was successful for $zone ($n)"
-  count=$(ls K*.key | grep "K${zone}" | wc -l)
+  check_keys $zone 4 || ret=1
-  test "$count" -eq 4 || ret=1
-  test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
   status=$((status + ret))
 
   n=$((n + 1))
@@ -157,6 +175,52 @@ EOF
   test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
   status=$((status + ret))
 
+  # Check dnssec-policy interaction.
+  zone="${alg}.kasp"
+
+  # Basic checks if setup was successful (dnssec-policy).
+  n=$((n + 1))
+  ret=0
+  echo_i "Test key generation was successful for $zone ($n)"
+  check_keys $zone 2 || ret=1
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test DNSKEY response for $zone ($n)"
+  _dig_policy_dnskey() {
+    dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
+    count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
+    test $count -eq 2
+  }
+  retry_quiet 2 _dig_policy_dnskey || ret=1
+  test "$ret" -eq 0 || echo_i "failed (expected 2 DNSKEY records)"
+  status=$((status + ret))
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test SOA response for $zone ($n)"
+  _dig_policy_soa() {
+    dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
+    awk '$4 == "RRSIG" && $5 == "SOA" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
+    numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
+    test $numsigs -eq 1 || return 1
+    return 0
+  }
+  retry_quiet 2 _dig_policy_soa || ret=1
+  test "$ret" -eq 0 || echo_i "failed (expected a SOA RRSIG record)"
+  status=$((status + ret))
+
+  # Check dnssec-keygen with dnssec-policy and key-store.
+  zone="${alg}.keygen"
+
+  n=$((n + 1))
+  ret=0
+  echo_i "Test dnssec-keygen for $zone ($n)"
+  $KEYGEN $ENGINE_ARG -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1
+  check_keys $zone 2 || ret=1
+  status=$((status + ret))
+
 done
 
 # Go back to main test dir.