From 28093e56a90f0665c4f159959541d883450ade3c Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 17 Jan 2022 11:39:02 +0100 Subject: [PATCH 1/5] Add system test for engine_pkcs11 Add a system test for engine_pkcs11 interactions that replaces the tests that are done in the native PKCS#11 system test. The native PKCS#11 code was removed in 9.17 but without copying the pkcs11 system test. (cherry picked from commit 11a0b41370c90db0061c6f2504dfcb628155c264) --- CHANGES | 2 + bin/tests/system/Makefile.am | 1 + bin/tests/system/conf.sh.in | 1 + bin/tests/system/engine_pkcs11/clean.sh | 35 ++++ bin/tests/system/engine_pkcs11/ns1/named.args | 1 + .../system/engine_pkcs11/ns1/named.conf.in | 36 ++++ .../system/engine_pkcs11/ns1/template.db.in | 24 +++ bin/tests/system/engine_pkcs11/prereq.sh | 21 +++ bin/tests/system/engine_pkcs11/setup.sh | 125 +++++++++++++ bin/tests/system/engine_pkcs11/tests.sh | 168 ++++++++++++++++++ 10 files changed, 414 insertions(+) create mode 100644 bin/tests/system/engine_pkcs11/clean.sh create mode 100644 bin/tests/system/engine_pkcs11/ns1/named.args create mode 100644 bin/tests/system/engine_pkcs11/ns1/named.conf.in create mode 100644 bin/tests/system/engine_pkcs11/ns1/template.db.in create mode 100644 bin/tests/system/engine_pkcs11/prereq.sh create mode 100644 bin/tests/system/engine_pkcs11/setup.sh create mode 100644 bin/tests/system/engine_pkcs11/tests.sh diff --git a/CHANGES b/CHANGES index f1640c52db..1641c0c505 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5802. [test] Add system test to test engine_pkcs11. [GL !5727] + 5801. [bug] Log "quota reached" message when hard quota is reached when accepting a connection. [GL #3125] diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index b6a855f45e..c21ce5436f 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -114,6 +114,7 @@ TESTS += \ eddsa \ ednscompliance \ emptyzones \ + engine_pkcs11 \ filter-aaaa \ formerr \ geoip2 \ diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index cad051c5b9..dd32ba4dd9 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -83,6 +83,7 @@ cookie dlzexternal dnssec dyndb +engine_pkcs11 filter-aaaa kasp keyfromlabel diff --git a/bin/tests/system/engine_pkcs11/clean.sh b/bin/tests/system/engine_pkcs11/clean.sh new file mode 100644 index 0000000000..6440e2661b --- /dev/null +++ b/bin/tests/system/engine_pkcs11/clean.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +rm -f dig.out.* +rm -f dsset-* +rm -f pin +rm -f keyfromlabel.out.* +rm -f pkcs11-tool.out.* +rm -f signer.out.* +rm -f ns1/*.example.db ns1/*.example.db.signed +rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2 +rm -f ns1/dig.out.* +rm -f ns1/K* +rm -f ns1/named.conf ns1/named.run ns1/named.memstats +rm -f ns1/update.cmd.* +rm -f ns1/update.log.* +rm -f ns1/verify.out.* +rm -f ns1/zone.*.signed.jnl ns1/zone.*.signed.jbk + +softhsm2-util --delete-token --token "softhsm2-engine_pkcs11" >/dev/null 2>&1 || echo_i "softhsm2-engine_pkcs11 token not found for cleaning" diff --git a/bin/tests/system/engine_pkcs11/ns1/named.args b/bin/tests/system/engine_pkcs11/ns1/named.args new file mode 100644 index 0000000000..0382a63ccd --- /dev/null +++ b/bin/tests/system/engine_pkcs11/ns1/named.args @@ -0,0 +1 @@ +-E pkcs11 -D engine_pkcs11-ns1 -X named.lock -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/engine_pkcs11/ns1/named.conf.in b/bin/tests/system/engine_pkcs11/ns1/named.conf.in new file mode 100644 index 0000000000..8f2687d538 --- /dev/null +++ b/bin/tests/system/engine_pkcs11/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/engine_pkcs11/ns1/template.db.in b/bin/tests/system/engine_pkcs11/ns1/template.db.in new file mode 100644 index 0000000000..7941903808 --- /dev/null +++ b/bin/tests/system/engine_pkcs11/ns1/template.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "test" + diff --git a/bin/tests/system/engine_pkcs11/prereq.sh b/bin/tests/system/engine_pkcs11/prereq.sh new file mode 100644 index 0000000000..296452b402 --- /dev/null +++ b/bin/tests/system/engine_pkcs11/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then + exit 0 +fi + +echo_i "skip: softhsm2-util not available" +exit 255 diff --git a/bin/tests/system/engine_pkcs11/setup.sh b/bin/tests/system/engine_pkcs11/setup.sh new file mode 100644 index 0000000000..2f2f6e1100 --- /dev/null +++ b/bin/tests/system/engine_pkcs11/setup.sh @@ -0,0 +1,125 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-engine_pkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' + +printf '%s' "${HSMPIN:-1234}" > pin +PWD=$(pwd) + +copy_setports ns1/named.conf.in ns1/named.conf + +keygen() { + type="$1" + bits="$2" + zone="$3" + id="$4" + + label="${id}-${zone}" + p11id=$(echo "${label}" | sha1sum - | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-engine_pkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 +} + +keyfromlabel() { + alg="$1" + zone="$2" + id="$3" + dir="$4" + shift 4 + + $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-engine_pkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1 + cat keyfromlabel.out.$zone.$id +} + + +# Setup ns1. +dir="ns1" +infile="${dir}/template.db.in" +for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 + # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 +do + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + + if $SHELL ../testcrypto.sh $alg; then + zone="$alg.example" + zonefile="zone.$alg.example.db" + ret=0 + + echo_i "Generate keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk || ret=1 + keygen $type $bits $zone enginepkcs11-ksk || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $zone $type:$bits" + zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) + test -z "$zsk1" && exit 1 + + echo_i "Get KSK $alg $zone $type:$bits" + ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) + test -z "$ksk1" && exit 1 + + ( + cd $dir + zskid1=$(keyfile_to_key_id $zsk1) + kskid1=$(keyfile_to_key_id $ksk1) + echo "$zskid1" > $zone.zskid1 + echo "$kskid1" > $zone.kskid1 + ) + + echo_i "Sign zone with $ksk1 $zsk1" + cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}" + $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Generate successor keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 + keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $id-$zone $type:$bits" + zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) + test -z "$zsk2" && exit 1 + + echo_i "Get KSK $alg $id-$zone $type:$bits" + ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) + test -z "$ksk2" && exit 1 + + ( + cd $dir + zskid2=$(keyfile_to_key_id $zsk2) + kskid2=$(keyfile_to_key_id $ksk2) + echo "$zskid2" > $zone.zskid2 + echo "$kskid2" > $zone.kskid2 + cp "${zsk2}.key" "${zsk2}.zsk2" + cp "${ksk2}.key" "${ksk2}.ksk2" + ) + + echo_i "Add zone $zone to named.conf" + cat >> "${dir}/named.conf" < verify.out.$zone.$n 2>&1 || ret=1 + test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" + status=$((status+ret)) + + # Test inline signing with keys stored in engine. + zskid1=$(cat "${zone}.zskid1") + zskid2=$(cat "${zone}.zskid2") + + n=$((n+1)) + ret=0 + echo_i "Test inline signing for $zone ($n)" + dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 1 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 + test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" + status=$((status+ret)) + + + n=$((n+1)) + ret=0 + echo_i "Dynamically update $zone, add new zsk ($n)" + zsk2=$(grep -v ';' K${zone}.*.zsk2) + cat > "update.cmd.zsk.$zone.$n" < "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status+ret)) + + n=$((n+1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing ($n)" + _dig_dnskey() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 3 + ) + retry_quiet 10 _dig_dnskey || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" + status=$((status+ret)) + + n=$((n+1)) + ret=0 + echo_i "Test SOA response for $zone after inline signing ($n)" + _dig_soa() ( + dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 + grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_soa || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" + status=$((status+ret)) + + # Test inline signing with keys stored in engine (key signing). + kskid1=$(cat "${zone}.kskid1") + kskid2=$(cat "${zone}.kskid2") + + n=$((n+1)) + ret=0 + echo_i "Dynamically update $zone, add new ksk ($n)" + ksk2=$(grep -v ';' K${zone}.*.ksk2) + cat > "update.cmd.ksk.$zone.$n" < "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status+ret)) + + n=$((n+1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" + _dig_dnskey_ksk() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 4 || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 + grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_dnskey_ksk || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" + status=$((status+ret)) + +done + +# Go back to main test dir. +cd .. + +# TODO: Checking for assertion failure in pk11_numbits + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 From a9f7e4badb748b49d28e3cce7309d3360fea1e74 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 18 Jan 2022 09:36:59 +0100 Subject: [PATCH 2/5] Add test for assertion failure in pk11_numbits This test was originally in the pkcs11 system test. While this crash happened in the native pkcs11 of BIND 9, and that code has been removed in 9.17, there is no need for this test. Nevertheless, it doesn't hurt having the test case persist. (cherry picked from commit bfe287f4a4d6263f7eb0da0f603f084a79417c06) --- .../2037-pk11_numbits-crash-test.pkt | 30 +++++++++++++++++++ bin/tests/system/engine_pkcs11/tests.sh | 8 ++++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/engine_pkcs11/2037-pk11_numbits-crash-test.pkt diff --git a/bin/tests/system/engine_pkcs11/2037-pk11_numbits-crash-test.pkt b/bin/tests/system/engine_pkcs11/2037-pk11_numbits-crash-test.pkt new file mode 100644 index 0000000000..b9c5a32ade --- /dev/null +++ b/bin/tests/system/engine_pkcs11/2037-pk11_numbits-crash-test.pkt @@ -0,0 +1,30 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. +edda 2800 0001 0000 0001 0000 0972 7361 +7368 6132 3536 0765 7861 6d70 6c65 0000 +0600 01c0 0c00 3000 0100 0001 2c01 0801 +0003 0803 0100 0100 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 00 diff --git a/bin/tests/system/engine_pkcs11/tests.sh b/bin/tests/system/engine_pkcs11/tests.sh index b97c60b69f..256ae2eef3 100644 --- a/bin/tests/system/engine_pkcs11/tests.sh +++ b/bin/tests/system/engine_pkcs11/tests.sh @@ -162,7 +162,13 @@ done # Go back to main test dir. cd .. -# TODO: Checking for assertion failure in pk11_numbits +n=$((n+1)) +ret=0 +echo_i "Checking for assertion failure in pk11_numbits()" +$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt +dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From b3e5e12ddf786375f50437307adf845802d9406f Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 31 Jan 2022 16:53:40 +0100 Subject: [PATCH 3/5] Fix keyfromlabel echo output The 'id' variable is either keyfromlabel-ksk or keyfromlabel-zsk and is set in the 'keygen' and 'keyfromlabel' functions. It should not be used outside these functions. (cherry picked from commit 468cf3cdc25a5198a9281e18ecc840778f546ef9) --- bin/tests/system/keyfromlabel/tests.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index 0bbbe1be3b..b54ea7b06c 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -61,12 +61,12 @@ do # Skip dnssec-keyfromlabel if key generation failed. test $ret == 0 || continue - echo_i "Get ZSK $alg $id-$zone $type:$bits" + echo_i "Get ZSK $alg $zone $type:$bits" ret=0 zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk) test -z "$zsk" && ret=1 - echo_i "Get KSK $alg $id-$zone $type:$bits" + echo_i "Get KSK $alg $zone $type:$bits" ret=0 ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK) test -z "$ksk" && ret=1 From 25cb2704b493d3455cee9e941f18b2bec4eded7c Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 3 Feb 2022 10:59:45 +0000 Subject: [PATCH 4/5] Use unique SoftHSMv2 token label for the "keyfromlabel" test When there are more than one tokens initialized in SoftHSMv2, care must be taken to correctly identify them. Use a SoftHSMv2 token label which will uniquely identify the token used for this test. Use the "--token-label" parameter for the `pkcs11-tool` program to make sure that it finds and uses the correct token. (cherry picked from commit a4497094414598537eb3cbbc9d92f38e072f5d7b) --- bin/tests/system/keyfromlabel/clean.sh | 2 +- bin/tests/system/keyfromlabel/setup.sh | 2 +- bin/tests/system/keyfromlabel/tests.sh | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/tests/system/keyfromlabel/clean.sh b/bin/tests/system/keyfromlabel/clean.sh index 39082d4ce2..bce20990be 100644 --- a/bin/tests/system/keyfromlabel/clean.sh +++ b/bin/tests/system/keyfromlabel/clean.sh @@ -24,4 +24,4 @@ rm -f keyfromlabel.out.* rm -f pkcs11-tool.out.* rm -f signer.out.* -softhsm2-util --delete-token --token "softhsm2" || echo_i "softhsm2 token not found" +softhsm2-util --delete-token --token "softhsm2-keyfromlabel" >/dev/null 2>&1 || echo_i "softhsm2-keyfromlabel token not found for cleaning" diff --git a/bin/tests/system/keyfromlabel/setup.sh b/bin/tests/system/keyfromlabel/setup.sh index 9f06a71faf..703814d62d 100644 --- a/bin/tests/system/keyfromlabel/setup.sh +++ b/bin/tests/system/keyfromlabel/setup.sh @@ -16,7 +16,7 @@ set -e -softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' +softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-keyfromlabel" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' printf '%s' "${HSMPIN:-1234}" > pin PWD=$(pwd) diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index b54ea7b06c..247eefe688 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -24,7 +24,7 @@ keygen() { label="${id}-${zone}" p11id=$(echo "${label}" | sha1sum - | awk '{print $1}') - pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 + pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 } keyfromlabel() { @@ -33,7 +33,7 @@ keyfromlabel() { id="$3" shift 3 - $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1 + $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1 cat keyfromlabel.out.$zone.$id } From 9f2b89fa772ea59bdeafd17e84d31ad764db8ba8 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 4 Feb 2022 11:55:46 +0100 Subject: [PATCH 5/5] Fix keyfromlabel test, missing status update Fix a missing status=$((status+ret)) in the keyfromlabel system test, which would ignore the error if ZSK key creation failed. (cherry picked from commit 7845f51178ba3ea0f68ab18c766c7255c710aed3) --- bin/tests/system/keyfromlabel/tests.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index 247eefe688..4f6940af7b 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -65,13 +65,14 @@ do ret=0 zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk) test -z "$zsk" && ret=1 + test "$ret" -eq 0 || echo_i "failed (zsk=$zsk)" + status=$((status+ret)) echo_i "Get KSK $alg $zone $type:$bits" ret=0 ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK) test -z "$ksk" && ret=1 - - test "$ret" -eq 0 || echo_i "failed (zsk=$zsk ksk=$ksk)" + test "$ret" -eq 0 || echo_i "failed (ksk=$ksk)" status=$((status+ret)) # Skip signing if dnssec-keyfromlabel failed.