[master] native PKCS#11 support

3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

bin/tests/system/pkcs11/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,28 +14,63 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
-
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 RANDFILE=random.data
-
-zone=example
 infile=ns1/example.db.in
-zonefile=ns1/example.db
 
-$PK11GEN -b 1024 -l robie-zsk1 -i 01
-$PK11GEN -b 1024 -l robie-zsk2 -i 02
-$PK11GEN -b 2048 -l robie-ksk
+/bin/echo -n ${HSMPIN:-1234}> pin
+PWD=`pwd`
 
-zsk1=`$KEYFRLAB -a RSASHA1 -l robie-zsk1 example`
-zsk2=`$KEYFRLAB -a RSASHA1 -l robie-zsk2 example`
-ksk=`$KEYFRLAB -a RSASHA1 -f ksk -l robie-ksk example`
+supported=`cat supported`
+
+zone=rsa.example
+zonefile=ns1/rsa.example.db
+if [ "$supported" != "ecconly" ]; then
+    $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
+    $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
+    $PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
+
+    rsazsk1=`$KEYFRLAB -a RSASHA1 \
+            -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example`
+    rsazsk2=`$KEYFRLAB -a RSASHA1 \
+            -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example`
+    rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
+            -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example`
+
+    cat $infile $rsazsk1.key $rsaksk.key > $zonefile
+    $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+            > /dev/null 2> signer.err || cat signer.err
+    cp $rsazsk2.key ns1/rsa.key
+    mv Krsa* ns1
+else
+    # RSA not available and will not be tested; make a placeholder
+    cp $infile ${zonefile}.signed
+fi
+
+zone=ecc.example
+zonefile=ns1/ecc.example.db
+if [ "$supported" != "rsaonly" ]; then
+    $PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
+    $PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
+    $PK11GEN -a ECC -b 384 -l robie-ecc-ksk
+
+    ecczsk1=`$KEYFRLAB -a ECDSAP256SHA256 \
+            -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example`
+    ecczsk2=`$KEYFRLAB -a ECDSAP256SHA256 \
+            -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example`
+    eccksk=`$KEYFRLAB -a ECDSAP384SHA384 -f ksk \
+            -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example`
+
+    cat $infile $ecczsk1.key $eccksk.key > $zonefile
+    $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+        > /dev/null 2> signer.err || cat signer.err
+    cp $ecczsk2.key ns1/ecc.key
+    mv Kecc* ns1
+else
+    # ECC not available and will not be tested; make a placeholder
+    cp $infile ${zonefile}.signed
+fi
 
-cat $infile $zsk1.key $ksk.key > $zonefile
-$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
 rm -f signer.err
-
-cp $zsk2.key ns1/key
-mv Kexample* ns1