[master] native PKCS#11 support

3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031]
2014-01-14 15:40:56 -08:00
parent 1f4c645185
commit ba751492fc
244 changed files with 20979 additions and 3294 deletions
--- a/bin/tests/system/pkcs11/tests.sh
+++ b/bin/tests/system/pkcs11/tests.sh
@@ -26,47 +26,59 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
 status=0
 ret=0

-zonefile=ns1/example.db
+supported=`cat supported`
+case $supported in
+    rsaonly) algs="rsa" ;;
+    ecconly) algs="ecc" ;;
+    both) algs="rsa ecc" ;;
+esac

-echo "I:testing PKCS#11 key generation"

-count=`$PK11LIST | grep robie-ksk | wc -l`
-if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+for alg in $algs; do
+    zonefile=ns1/$alg.example.db 
+    echo "I:testing PKCS#11 key generation ($alg)"
+    count=`$PK11LIST | grep robie-$alg-ksk | wc -l`
+    if [ $count != 2 ]; then echo "I:failed"; status=1; fi

-echo "I:testing offline signing with PKCS#11 keys"
+    echo "I:testing offline signing with PKCS#11 keys ($alg)"

-count=`grep RRSIG $zonefile.signed | wc -l`
-if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+    count=`grep RRSIG $zonefile.signed | wc -l`
+    if [ $count != 12 ]; then echo "I:failed"; status=1; fi

-echo "I:testing inline signing with PKCS#11 keys"
+    echo "I:testing inline signing with PKCS#11 keys ($alg)"

-$NSUPDATE > /dev/null <<END || status=1
+    $NSUPDATE > /dev/null <<END || status=1
 server 10.53.0.1 5300
 ttl 300
-zone example.
-update add `grep -v ';' ns1/key`
+zone $alg.example.
+update add `grep -v ';' ns1/${alg}.key`
 send
 END

-echo "I:waiting 20 seconds for key changes to take effect"
-sleep 20
+    echo "I:waiting 20 seconds for key changes to take effect"
+    sleep 20

-$DIG $DIGOPTS ns.example. @10.53.0.1 a > dig.out || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-count=`grep RRSIG dig.out | wc -l`
-if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+    $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+    count=`grep RRSIG dig.out | wc -l`
+    if [ $count != 4 ]; then echo "I:failed"; status=1; fi

-echo "I:testing PKCS#11 key destroy"
-
-ret=0
-$PK11DEL -l robie-zsk1 || ret=1
-$PK11DEL -i 02 || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-count=`$PK11LIST | grep robie-zsk | wc -l`
-if [ $count != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $count`
+    echo "I:testing PKCS#11 key destroy ($alg)"
+    ret=0
+    $PK11DEL -l robie-$alg-ksk -w0 > /dev/null 2>&1 || ret=1
+    $PK11DEL -l robie-$alg-zsk1 -w0 > /dev/null 2>&1 || ret=1
+    case $alg in
+        rsa) id=02 ;;
+        ecc) id=04 ;;
+    esac
+    $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+    count=`$PK11LIST | grep robie-$alg | wc -l`
+    if [ $count != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $count`
+done

 echo "I:exit status: $status"
 exit $status