ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

2913. [func] Add pkcs#11 system tests. [RT #20784]

Browse Source
This commit is contained in:
Mark Andrews
2010-06-07 03:42:37 +00:00
parent e0cc71935a
commit 63af1a646a
13 changed files with 272 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,3 +1,5 @@
2913. [func] Add pkcs#11 system tests. [RT #20784]
2912. [func] Windows clients don't like UPDATE responses that clear
the zone section. [RT #20986]

21
bin/tests/system/cleanpkcs11.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/sh
#
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: cleanpkcs11.sh,v 1.2 2010/06/07 03:42:37 marka Exp $
if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
../../pkcs11/pkcs11-destroy -s 0 -p 1234

16
bin/tests/system/conf.sh.in
View File

@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.46 2010/05/26 06:28:00 marka Exp $
# $Id: conf.sh.in,v 1.47 2010/06/07 03:42:37 marka Exp $
#
# Common configuration data for system tests, to be sourced into
@@ -37,23 +37,27 @@ RNDC=$TOP/bin/rndc/rndc
NSUPDATE=$TOP/bin/nsupdate/nsupdate
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
KEYGEN=$TOP/bin/dnssec/dnssec-keygen
KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
SIGNER=$TOP/bin/dnssec/dnssec-signzone
REVOKE=$TOP/bin/dnssec/dnssec-revoke
SETTIME=$TOP/bin/dnssec/dnssec-settime
DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
CHECKZONE=$TOP/bin/check/named-checkzone
CHECKCONF=$TOP/bin/check/named-checkconf
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s 0 -p 1234"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s 0 -p 1234"
PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s 0 -p 1234"
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl autosign cacheclean checkconf checknames dlv dnssec forward glue
ixfr limits lwresd masterfile masterformat metadata notify nsupdate pending
resolver rrsetorder sortlist smartsign stub tkey unknown upforwd views
xfer xferquota zonechecks"
ixfr limits lwresd masterfile masterformat metadata notify nsupdate
pending pkcs11 resolver rrsetorder sortlist smartsign stub tkey
unknown upforwd views xfer xferquota zonechecks"
# PERL will be an empty string if no perl interpreter was found.
PERL=@PERL@
export NAMED LWRESD DIG NSUPDATE KEYGEN SIGNER KEYSIGNER KEYSETTOOL PERL \
SUBDIRS RNDC CHECKZONE
export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \
PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL

21
bin/tests/system/pkcs11/clean.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/sh
#
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.2 2010/06/07 03:42:37 marka Exp $
rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
rm -f dig.out random.data
rm -f ns1/key ns1/named.memstats

13
bin/tests/system/pkcs11/ns1/example.db.in Normal file
View File

@@ -0,0 +1,13 @@
$TTL 300 ; 5 minutes
@ IN SOA ns root (
2000082401 ; serial
1800 ; refresh (30 minutes)
1800 ; retry (30 minutes)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.1
txt TXT "recursed"

46
bin/tests/system/pkcs11/ns1/named.conf Normal file
View File

@@ -0,0 +1,46 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2010/06/07 03:42:37 marka Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
};
zone "example." {
type master;
file "example.db.signed";
allow-update { any; };
};

27
bin/tests/system/pkcs11/prereq.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/sh
#
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: prereq.sh,v 1.2 2010/06/07 03:42:37 marka Exp $
../../../tools/genrandom 400 random.data
if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
then
rm -f Kfoo*
else
echo "I:This test requires that --with-openssl was used." >&2
exit 1
fi

40
bin/tests/system/pkcs11/setup.sh Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/sh
#
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.2 2010/06/07 03:42:37 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=random.data
zone=example
infile=ns1/example.db.in
zonefile=ns1/example.db
$PK11GEN -b 1024 -l robie-zsk1 -i 01
$PK11GEN -b 1024 -l robie-zsk2 -i 02
$PK11GEN -b 2048 -l robie-ksk
zsk1=`$KEYFRLAB -a RSASHA1 -l robie-zsk1 example`
zsk2=`$KEYFRLAB -a RSASHA1 -l robie-zsk2 example`
ksk=`$KEYFRLAB -a RSASHA1 -f ksk -l robie-ksk example`
cat $infile $zsk1.key $ksk.key > $zonefile
$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
cp $zsk2.key ns1/key
mv Kexample* ns1

72
bin/tests/system/pkcs11/tests.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/bin/sh
#
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.2 2010/06/07 03:42:37 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=random.data
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
status=0
ret=0
zonefile=ns1/example.db
echo "I:testing PKCS#11 key generation"
count=`$PK11LIST | grep robie-ksk | wc -l`
if [ $count != 2 ]; then echo "I:failed"; status=1; fi
echo "I:testing offline signing with PKCS#11 keys"
count=`grep RRSIG $zonefile.signed | wc -l`
if [ $count != 12 ]; then echo "I:failed"; status=1; fi
echo "I:testing inline signing with PKCS#11 keys"
$NSUPDATE > /dev/null <<END || status=1
server 10.53.0.1 5300
ttl 300
zone example.
update add `grep -v ';' ns1/key`
send
END
echo "I:waiting 20 seconds for key changes to take effect"
sleep 20
$DIG $DIGOPTS ns.example. @10.53.0.1 a > dig.out || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
count=`grep RRSIG dig.out | wc -l`
if [ $count != 4 ]; then echo "I:failed"; status=1; fi
echo "I:testing PKCS#11 key destroy"
ret=0
$PK11DEL -l robie-zsk1 || ret=1
$PK11DEL -i 02 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
count=`$PK11LIST | grep robie-zsk | wc -l`
if [ $count != 0 ]; then echo "I:failed"; fi
status=`expr $status + $count`
echo "I:exit status: $status"
exit $status

1
bin/tests/system/pkcs11/usepkcs11 Normal file
View File

@@ -0,0 +1 @@
This test relies on PKCS#11!

14
bin/tests/system/run.sh
View File

@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: run.sh,v 1.42 2007/06/19 23:47:00 tbox Exp $
# $Id: run.sh,v 1.43 2010/06/07 03:42:37 marka Exp $
#
# Run a system test.
@@ -70,6 +70,18 @@ else
exit 0
fi
# Check for PKCS#11 support
if
test ! -f $test/usepkcs11 || sh cleanpkcs11.sh
then
: pkcs11 ok
else
echo "I:Need PKCS#11 for $test, skipping test." >&2
echo "R:PKCS11ONLY" >&2
echo "E:$test:`date`" >&2
exit 0
fi
# Set up any dynamically generated test data
if test -f $test/setup.sh
then

3
lib/tests/include/tests/t_api.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: t_api.h,v 1.22 2007/06/19 23:47:24 tbox Exp $ */
/* $Id: t_api.h,v 1.23 2010/06/07 03:42:37 marka Exp $ */
#ifndef TESTS_T_API_H
#define TESTS_T_API_H 1
@@ -40,6 +40,7 @@
#define T_UNSUPPORTED 0x4
#define T_UNTESTED 0x5
#define T_THREADONLY 0x6
#define T_PKCS11ONLY 0x7
/*
*

5
lib/tests/t_api.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: t_api.c,v 1.65 2009/03/02 23:47:43 tbox Exp $ */
/* $Id: t_api.c,v 1.66 2010/06/07 03:42:37 marka Exp $ */
/*! \file */
@@ -400,6 +400,9 @@ t_result(int result) {
case T_THREADONLY:
p = "THREADONLY";
break;
case T_PKCS11ONLY:
p = "PKCS11ONLY";
break;
default:
p = "UNKNOWN";
break;