Merge branch 'matthijs-keyfromlabel-system-test' into 'main'

Add keyfromlabel system test

Closes #3092

See merge request isc-projects/bind9!5312

.gitlab-ci.yml

@@ -7,6 +7,9 @@ variables:
   CI_REGISTRY_IMAGE: registry.gitlab.isc.org/isc-projects/images/bind9
   CCACHE_DIR: "/ccache"
   SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
+  OPENSSL_ENGINES: "/usr/lib/x86_64-linux-gnu/engines-1.1"
+  DEFAULT_OPENSSL_CONF: "/etc/ssl/openssl.cnf"
+  OPENSSL_CONF: "/var/tmp/etc/openssl.cnf"
 
   GIT_DEPTH: 1
   BUILD_PARALLEL_JOBS: 6
@@ -309,15 +312,10 @@ stages:
         sudo sh -x bin/tests/system/ifconfig.sh up;
       fi
 
-.setup_softhsm: &setup_softhsm
-    - export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh)
-    - test -n "${SLOT}" && test "${SLOT}" -gt 0
-
 .system_test_common: &system_test_common
   <<: *default_triggering_rules
   stage: system
   before_script:
-    - *setup_softhsm
     - *retrieve_out_of_tree_workspace
     - *setup_interfaces
   script:
@@ -358,7 +356,6 @@ stages:
   <<: *default_triggering_rules
   stage: unit
   before_script:
-    - *setup_softhsm
     - *retrieve_out_of_tree_workspace
   script:
     - make -j${TEST_PARALLEL_JOBS:-1} -k unit V=1
@@ -932,11 +929,15 @@ gcc:asan:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined"
     LDFLAGS: "-fsanitize=address,undefined"
+    SOFTHSM2_MODULE: "/lib64/libsofthsm2.so"
     EXTRA_CONFIGURE: "--with-libidn2 --without-jemalloc"
   <<: *fedora_35_amd64_image
   <<: *build_job
 
 system:gcc:asan:
+  variables:
+    SOFTHSM2_MODULE: "/lib64/libsofthsm2.so"
+    LSAN_OPTIONS: "suppressions=/builds/isc-projects/bind9/suppr-lsan.txt"
   <<: *fedora_35_amd64_image
   <<: *system_test_job
   needs:
@@ -980,12 +981,14 @@ gcc:tsan:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread"
     LDFLAGS: "-fsanitize=thread"
+    SOFTHSM2_MODULE: "/lib64/libsofthsm2.so"
     EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock --without-jemalloc"
   <<: *fedora_35_amd64_image
   <<: *build_job
 
 system:gcc:tsan:
   variables:
+    SOFTHSM2_MODULE: "/lib64/libsofthsm2.so"
     TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON}
   <<: *fedora_35_amd64_image
   <<: *system_test_tsan_job
@@ -1297,7 +1300,6 @@ respdiff-third-party:
   script:
     - *configure
     - *setup_interfaces
-    - *setup_softhsm
     - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
     - make DESTDIR="${INSTALL_PATH}" install
     - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git

CHANGES

@@ -1,3 +1,5 @@
+5798.	[test]		Add system test to test dnssec-keyfromlabel. [GL #3092]
+
 5797.	[bug]		A failed view configuration during a named
 			reconfiguration procedure could cause inconsistencies
 			in BIND internal structures, causing a crash or other

bin/tests/Makefile.am

@@ -31,5 +31,3 @@ wire_test_CPPFLAGS =		\
 wire_test_LDADD =		\
 	$(LIBISC_LIBS)		\
 	$(LIBDNS_LIBS)
-
-EXTRA_DIST = prepare-softhsm2.sh

bin/tests/prepare-softhsm2.sh

@@ -1,22 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-if [ -n "${SOFTHSM2_CONF}" ] && command -v softhsm2-util >/dev/null; then
-    SOFTHSM2_DIR=$(dirname "$SOFTHSM2_CONF")
-    mkdir -p "${SOFTHSM2_DIR}/tokens"
-    echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}"
-    echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}"
-    echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}"
-    softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
-fi
-exit 0

bin/tests/system/Makefile.am

@@ -125,6 +125,7 @@ TESTS +=			\
 	hooks			\
 	journal			\
 	keepalive		\
+	keyfromlabel		\
 	legacy			\
 	limits			\
 	logfileconfig		\

bin/tests/system/conf.sh.in

@@ -85,6 +85,7 @@ dnssec
 dyndb
 filter-aaaa
 kasp
+keyfromlabel
 keymgr2kasp
 legacy
 logfileconfig

bin/tests/system/keyfromlabel/clean.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+rm -f K*
+rm -f pin
+rm -f dsset-*
+rm -f *.example.db *.example.db.signed
+rm -f keyfromlabel.out.*
+rm -f pkcs11-tool.out.*
+rm -f signer.out.*
+
+softhsm2-util --delete-token --token "softhsm2" || echo_i "softhsm2 token not found"

bin/tests/system/keyfromlabel/prereq.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then
+	exit 0
+fi
+
+echo_i "skip: softhsm2-util not available"
+exit 255

bin/tests/system/keyfromlabel/setup.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
+
+printf '%s' "${HSMPIN:-1234}" > pin
+PWD=$(pwd)

bin/tests/system/keyfromlabel/template.db.in

@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"test"
+

bin/tests/system/keyfromlabel/tests.sh

@@ -0,0 +1,90 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+PWD=$(pwd)
+
+keygen() {
+	type="$1"
+	bits="$2"
+	zone="$3"
+	id="$4"
+
+	label="${id}-${zone}"
+	p11id=$(echo "${label}" | sha1sum - | awk '{print $1}')
+	pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1
+}
+
+keyfromlabel() {
+        alg="$1"
+        zone="$2"
+        id="$3"
+        shift 3
+
+	$KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1
+	cat keyfromlabel.out.$zone.$id
+}
+
+infile="template.db.in"
+for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
+		   ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
+		   # Edwards curves are not yet supported by OpenSC
+		   # ed25519:EC:edwards25519 ed448:EC:edwards448
+do
+	alg=$(echo "$algtypebits" | cut -f 1 -d :)
+	type=$(echo "$algtypebits" | cut -f 2 -d :)
+	bits=$(echo "$algtypebits" | cut -f 3 -d :)
+
+	if $SHELL ../testcrypto.sh $alg; then
+		zone="$alg.example"
+		zonefile="zone.$alg.example.db"
+		ret=0
+
+		echo_i "Generate keys $alg $type:$bits for zone $zone"
+		keygen $type $bits $zone keyfromlabel-zsk || ret=1
+		keygen $type $bits $zone keyfromlabel-ksk || ret=1
+		test "$ret" -eq 0 || echo_i "failed"
+		status=$((status+ret))
+
+		# Skip dnssec-keyfromlabel if key generation failed.
+		test $ret == 0 || continue
+
+		echo_i "Get ZSK $alg $id-$zone $type:$bits"
+		ret=0
+		zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk)
+		test -z "$zsk" && ret=1
+
+		echo_i "Get KSK $alg $id-$zone $type:$bits"
+		ret=0
+		ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK)
+		test -z "$ksk" && ret=1
+
+		test "$ret" -eq 0 || echo_i "failed (zsk=$zsk ksk=$ksk)"
+		status=$((status+ret))
+
+		# Skip signing if dnssec-keyfromlabel failed.
+		test $ret == 0 || continue
+
+		echo_i "Sign zone with $ksk $zsk"
+		ret=0
+		cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
+		$SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" > signer.out.$zone || ret=1
+		test "$ret" -eq 0 || echo_i "failed"
+		status=$((status+ret))
+	fi
+done
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1

bin/tests/system/run.sh.in

@@ -74,7 +74,21 @@ if ! $do_run; then
     if [ "$baseport" -eq 0 ]; then
         log_flags="$log_flags -p 5300"
     fi
-    env - SYSTEMTEST_FORCE_COLOR="$SYSTEMTEST_FORCE_COLOR" SYSTEMTEST_NO_CLEAN="$SYSTEMTEST_NO_CLEAN" SLOT="$SLOT" SOFTHSM2_CONF="$SOFTHSM2_CONF" PATH="$PATH" ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} TESTS="$*" TEST_SUITE_LOG=run.log LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" LOG_FLAGS="$log_flags" TEST_LARGE_MAP="${TEST_LARGE_MAP}" make -e check
+    env - \
+        SYSTEMTEST_FORCE_COLOR="$SYSTEMTEST_FORCE_COLOR" \
+        SYSTEMTEST_NO_CLEAN="$SYSTEMTEST_NO_CLEAN" \
+        SLOT="$SLOT" \
+        OPENSSL_CONF="$OPENSSL_CONF" \
+        SOFTHSM2_CONF="$SOFTHSM2_CONF" \
+        SOFTHSM2_MODULE="$SOFTHSM2_MODULE" \
+        PATH="$PATH" \
+        ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} \
+        TESTS="$*" \
+        TEST_SUITE_LOG=run.log \
+        LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" \
+        LOG_FLAGS="$log_flags" \
+        TEST_LARGE_MAP="${TEST_LARGE_MAP}" \
+        make -e check
     exit $?
 fi
 

bin/tests/system/runtime/tests.sh

@@ -228,8 +228,6 @@ if [ "$(id -u)" -eq 0 ]; then
     TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX")
     if [ "$?" -eq 0 ]; then
 	copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf"
-	export SOFTHSM2_CONF="${TEMP_NAMED_DIR}/softhsm2.conf"
-	sh "$TOP_SRCDIR/bin/tests/prepare-softhsm2.sh"
 	chown -R nobody: "${TEMP_NAMED_DIR}"
 	chmod 0700 "${TEMP_NAMED_DIR}"
 	testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf)

doc/arm/pkcs11.rst

@@ -113,7 +113,9 @@ brackets) are defined:
 
    openssl_conf = openssl_init
 
-And add following lines at the bottom of the file:
+And make sure there are no other 'openssl_conf = ...' lines in the file.
+
+Add following lines at the bottom of the file:
 
 ::
 
@@ -145,7 +147,7 @@ We need to generate at least two RSA keys:
 ::
 
    pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
-   pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
+   pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-zsk --pin <PIN>
 
 Remember that each key should have unique label and we are going to use that
 label to reference the private key.
@@ -197,6 +199,18 @@ The output should look like this (the second number will be different):
    Kexample.net.+008+42231.key
    Kexample.net.+008+42231.private
 
+A note on generating ECDSA keys: there is a bug in libp11 when looking up a key,
+that function compares keys only on their ID, not the label. So when looking up
+a key it returns the first key, rather than the matching key. The workaround for
+this is when creating ECDSA keys, you should specify a unique ID:
+
+::
+
+   ksk=$(echo "example.net-ksk" | sha1sum - | awk '{print $1}')
+   zsk=$(echo "example.net-zsk" | sha1sum - | awk '{print $1}')
+   pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type EC:prime256v1 --id $ksk --label example.net-ksk --pin <PIN>
+   pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type EC:prime256v1 --id $zsk --label example.net-zsk --pin <PIN>
+
 
 Specifying the Engine on the Command Line
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

suppr-lsan.txt

@@ -0,0 +1,26 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# These are known leaks in libp11.
+leak:BN_MONT_CTX_new
+leak:C_LoadModule
+leak:ctx_new
+leak:ctx_try_load_object
+leak:dlfcn_name_converter
+leak:EC_GROUP_set_seed
+leak:CRYPTO_strdup
+leak:CRYPTO_zalloc
+leak:pkcs11_check_token
+leak:pkcs11_CTX_new
+leak:pkcs11_enumerate_slots
+leak:pkcs11_getattr_alloc
+leak:pkcs11_init_key
+leak:pkcs11_strdup