Refactor the pkcs11 to test for individual algorithms

(cherry picked from commit a6bdb9639a)
2020-04-30 14:53:40 +02:00
parent c0e1dc33d5
commit 4cc5b572bd
6 changed files with 196 additions and 174 deletions
--- a/bin/tests/system/pkcs11/tests.sh
+++ b/bin/tests/system/pkcs11/tests.sh
@@ -13,80 +13,130 @@ set -e

 SYSTEMTESTTOP=..
 # shellcheck source=conf.sh
-. $SYSTEMTESTTOP/conf.sh
+. "$SYSTEMTESTTOP/conf.sh"

-dig_with_opts() {
-    $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300 "$@"
+count_rrsigs() (
+    grep -c "IN[[:space:]]*RRSIG" "$@" || true
+)
+
+dig_with_opts() (
+    $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+)
+
+dig_for_rr() (
+    alg=$1
+    rrtype=$2
+    count0=$3
+    dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" &&
+    count=$(count_rrsigs "dig.out.$rrtype.$alg") &&
+    test "$count" -gt "$count0"
+)
+
+test_done() {
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+    ret=0
 }

 status=0
 ret=0

-algs=""
-have_rsa=$(grep rsa supported || true)
-if [ "x$have_rsa" != "x" ]; then
-    algs="rsa "
-fi
-have_ecc=$(grep ecc supported || true)
-if [ "x$have_ecc" != "x" ]; then
-    algs=$algs"ecc "
-fi
-have_ecx=$(grep ecx supported || true)
-if [ "x$have_ecx" != "x" ]; then
-    algs=$algs"ecx "
-fi
+n=0
+while read -r alg; do
+    zonefile=ns1/$alg.example.db
+    echo_i "testing PKCS#11 key generation ($alg)"
+    count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)
+    [ "$count" -eq 4 ] || ret=1
+    test_done

-for alg in $algs; do
-    zonefile=ns1/$alg.example.db 
-    echo "I:testing PKCS#11 key generation ($alg)"
-    count=$($PK11LIST | grep -c "robie-$alg-ksk" || true)
-    if [ "$count" -ne 2 ]; then echo "I:failed"; status=1; fi
+    echo_i "testing offline signing with PKCS#11 keys ($alg)"

-    echo "I:testing offline signing with PKCS#11 keys ($alg)"
+    count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed")
+    [ "$count" -eq 9 ] || ret=1
+    test_done

-    count=$(grep -c RRSIG "$zonefile.signed" || true)
-    if [ "$count" -ne 12 ]; then echo "I:failed"; status=1; fi
+    echo_i "testing inline signing with new PKCS#11 ZSK ($alg)"

-    echo "I:testing inline signing with PKCS#11 keys ($alg)"
+    dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1
+    countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0")
+    new_zsk=$(grep -v ';' "ns1/$alg.zsk")

-    dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg.0" || ret=1
-    if [ $ret -ne 0 ]; then echo "I:failed"; fi
-    status=$((status + ret))
-    count0=$(grep -c RRSIG "dig.out.$alg.0" || true)
-
-    $NSUPDATE -v > "upd.log.$alg" <<END || status=1
-server 10.53.0.1 5300
+    cat > "upd.cmd.ZSK.$alg" <<EOF
+server 10.53.0.1 $PORT
 ttl 300
 zone $alg.example.
-update add $(grep -v ';' "ns1/${alg}.key" || true)
+update add $new_zsk
 send
-END
+EOF

-    echo "I:waiting 20 seconds for key changes to take effect"
-    sleep 20
+    $NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1

-    dig_with_opts "ns.$alg.example." @10.53.0.1 a > "dig.out.$alg" || ret=1
-    if [ $ret -ne 0 ]; then echo "I:failed"; fi
-    status=$((status + ret))
-    count=$(grep -c RRSIG "dig.out.$alg" || true)
-    if [ "$count" -le "$count0" ]; then echo "I:failed"; status=1; fi
+    retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1
+    test_done

-    echo "I:testing PKCS#11 key destroy ($alg)"
-    ret=0
-    $PK11DEL -l "robie-$alg-ksk" -w0 > /dev/null 2>&1 || ret=1
-    $PK11DEL -l "robie-$alg-zsk1" -w0 > /dev/null 2>&1 || ret=1
-    case $alg in
-        rsa) id=02 ;;
-        ecc) id=04 ;;
-	ecx) id=06 ;;
-    esac
-    $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
-    if [ $ret -ne 0 ]; then echo "I:failed"; fi
-    status=$((status + ret))
-    count=$($PK11LIST | grep -c "robie-$alg" || true)
-    if [ "$count" -ne 0 ]; then echo "I:failed"; fi
-    status=$((status + count))
-done
+    echo_i "testing inline signing with new PKCS#11 KSK ($alg)"

-echo "I:exit status: $status"
+    dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1
+    countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0")
+    new_ksk=$(grep -v ';' "ns1/$alg.ksk")
+
+    cat > "upd.cmd.KSK.$alg" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $alg.example.
+update add $new_ksk
+send
+EOF
+
+    $NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1
+
+    retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1
+    test_done
+
+    echo_i "testing PKCS#11 key destroy ($alg)"
+
+    # Lookup all existing keys
+    echo_i "looking up all existing keys ($alg)"
+    $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1
+    test_done
+
+    echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)"
+    $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1
+    test_done
+
+    echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)"
+    $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1
+    test_done
+
+    id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
+    echo_i "destroying key with $id id ($alg)"
+    if [ -n "$id" ]; then
+	$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
+    else
+	ret=1
+    fi
+    test_done
+
+    id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
+    echo_i "destroying key with $id id ($alg)"
+    if [ -n "$id" ]; then
+	$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
+    else
+	ret=1
+    fi
+    test_done
+
+    echo_i "checking if all keys have been destroyed ($alg)"
+    $PK11LIST > "pkcs11-list.out.$alg" || ret=1
+    count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true)
+    [ "$count" -eq 0 ] || ret=1
+    test_done
+    n=$((n+1))
+done < supported
+
+echo_i "Checking if all supported algorithms were tested"
+[ "$n" -eq "$(wc -l < supported)" ] || ret=1
+test_done
+
+echo_i "exit status: $status"
 [ "$status" -eq 0 ] || exit 1