upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 12:50:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Replace testcrypto.sh invocations in tests

Browse source 
Use the provided environment variables instead.
This commit is contained in:
Tom Krizek 2024-01-24 15:38:55 +01:00 committed by Nicki Křížek
parent 25cb39b7fc
commit fc84bf80e4
No known key found for this signature in database
GPG key ID: 01623B9B652A20A7
24 changed files with 48 additions and 84 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
bin/tests/system/autosign/ns3/keygen.sh
View file

@ -157,10 +157,7 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
# None of these algorithms are supported for signing in FIPS mode
# as they are MD5 and SHA1 based.
#
if (
cd ..
$SHELL ../testcrypto.sh -q RSASHA1
); then
if [ $RSASHA1_SUPPORTED = 1 ]; then
setup nsec-only.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out

4
bin/tests/system/autosign/tests.sh
View file

@ -892,7 +892,7 @@ checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1
checkprivate nsec3.optout.example 10.53.0.3 || ret=1
checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed
checkprivate nsec3-to-nsec3.example 10.53.0.3 2 || ret=1 # automatically removed
if $SHELL ../testcrypto.sh -q RSASHA1; then
if [ $RSASHA1_SUPPORTED = 1 ]; then
checkprivate nsec-only.example 10.53.0.3 || ret=1
fi
checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed
@ -1252,7 +1252,7 @@ del=$(grep "DNSKEY .* is now deleted" ns2/named.run | wc -l)
[ "$del" -eq 0 ] || ret=1
pub=$(grep "DNSKEY .* is now published" ns3/named.run | grep -v "CDNSKEY" | wc -l)
act=$(grep "DNSKEY .* is now active" ns3/named.run | wc -l)
if $SHELL ../testcrypto.sh -q RSASHA1; then
if [ $RSASHA1_SUPPORTED = 1 ]; then
# Include two log lines for nsec-only zone.
[ "$pub" -eq 53 ] || ret=1
[ "$act" -eq 53 ] || ret=1

4
bin/tests/system/checkconf/tests.sh
View file

@ -642,7 +642,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
ret=0
if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
if [ $RSASHA1_SUPPORTED = 0 ]; then
conf=kasp-bad-nsec3-iter-fips.conf
expect=2
else
@ -660,7 +660,7 @@ n=$((n + 1))
echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
ret=0
$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1
if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
if [ $RSASHA1_SUPPORTED = 0 ]; then
grep "dnssec-policy: algorithm rsasha1 not supported" <checkconf.out$n >/dev/null || ret=1
else
grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" <checkconf.out$n >/dev/null || ret=1

6
bin/tests/system/dnssec/tests.sh
View file

@ -1462,7 +1462,7 @@ echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)"
ret=0
if ! $FEATURETEST --fips-provider; then
echo_i "skipped no FIPS provider available"
elif ! $SHELL ../testcrypto.sh -q RSASHA1; then
elif [ $RSASHA1_SUPPORTED = 0 ]; then
echo_i "skipped: RSASHA1 is not supported"
else
(
@ -3417,7 +3417,7 @@ if $FEATURETEST --have-fips-mode; then
echo_i "skipped: already in FIPS mode"
elif ! $FEATURETEST --fips-provider; then
echo_i "skipped no FIPS provider available"
elif ! $SHELL ../testcrypto.sh -q RSASHA1; then
elif [ $RSASHA1_SUPPORTED = 0 ]; then
echo_i "skipped: RSASHA1 is not supported"
else
$KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true
@ -3433,7 +3433,7 @@ if $FEATURETEST --have-fips-mode; then
echo_i "skipped: already in FIPS mode"
elif ! $FEATURETEST --fips-provider; then
echo_i "skipped: cannot switch to FIPS mode"
elif ! $SHELL ../testcrypto.sh -q RSASHA1; then
elif [ $RSASHA1_SUPPORTED = 0 ]; then
echo_i "skipped: RSASHA1 is not supported"
else
$KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true

1
bin/tests/system/ecdsa/clean.sh
View file

@ -24,4 +24,3 @@ rm -f ns*/named.run
rm -f ns*/root.db
rm -f ns*/signer.err
rm -f ns*/trusted.conf
rm -f *-supported.file

8
bin/tests/system/ecdsa/ns1/sign.sh
View file

@ -23,14 +23,14 @@ echo_i "ns1/sign.sh"
cp $infile $zonefile
if [ -f ../ecdsa256-supported.file ]; then
if [ $ECDSAP256SHA256_SUPPORTED = 1 ]; then
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256
fi
if [ -f ../ecdsa384-supported.file ]; then
if [ $ECDSAP384SHA384_SUPPORTED = 1 ]; then
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >>"$zonefile"
@ -38,7 +38,7 @@ if [ -f ../ecdsa384-supported.file ]; then
fi
# Configure the resolving server with a static key.
if [ -f ../ecdsa256-supported.file ]; then
if [ $ECDSAP256SHA256_SUPPORTED = 1 ]; then
keyfile_to_static_ds $ksk256 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
@ -46,7 +46,7 @@ else
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ecdsa384-supported.file ]; then
if [ $ECDSAP384SHA384_SUPPORTED = 1 ]; then
keyfile_to_static_ds $ksk384 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else

8
bin/tests/system/ecdsa/setup.sh
View file

@ -15,14 +15,6 @@ set -e
. ../conf.sh
if $SHELL ../testcrypto.sh ecdsap256sha256; then
echo "yes" >ecdsa256-supported.file
fi
if $SHELL ../testcrypto.sh ecdsap384sha384; then
echo "yes" >ecdsa384-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf

4
bin/tests/system/ecdsa/tests.sh
View file

@ -22,7 +22,7 @@ dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
if [ -f ecdsa256-supported.file ]; then
if [ $ECDSAP256SHA256_SUPPORTED = 1 ]; then
n=$((n + 1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
@ -36,7 +36,7 @@ else
echo_i "algorithm ECDSA256 not supported, skipping test"
fi
if [ -f ecdsa384-supported.file ]; then
if [ $ECDSAP384SHA384_SUPPORTED = 1 ]; then
n=$((n + 1))
echo_i "checking that ECDSA384 positive validation works ($n)"
ret=0

1
bin/tests/system/eddsa/clean.sh
View file

@ -25,4 +25,3 @@ rm -f ns*/root.db
rm -f ns*/signer.err
rm -f ns*/trusted.conf
rm -f ns*/example.com.db
rm -f *-supported.file

8
bin/tests/system/eddsa/ns1/sign.sh
View file

@ -23,14 +23,14 @@ echo_i "ns1/sign.sh"
cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
if [ $ED25519_SUPPORTED = 1 ]; then
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256
fi
if [ -f ../ed448-supported.file ]; then
if [ $ED448_SUPPORTED = 1 ]; then
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >>"$zonefile"
@ -38,7 +38,7 @@ if [ -f ../ed448-supported.file ]; then
fi
# Configure the resolving server with a static key.
if [ -f ../ed25519-supported.file ]; then
if [ $ED25519_SUPPORTED = 1 ]; then
keyfile_to_static_ds $ksk25519 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
@ -46,7 +46,7 @@ else
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ed448-supported.file ]; then
if [ $ED448_SUPPORTED = 1 ]; then
keyfile_to_static_ds $ksk448 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else

2
bin/tests/system/eddsa/ns2/sign.sh
View file

@ -25,7 +25,7 @@ echo_i "ns2/sign.sh"
cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
if [ $ED25519_SUPPORTED = 1 ]; then
for i in Xexample.com.+015+03613 Xexample.com.+015+35217; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"

2
bin/tests/system/eddsa/ns3/sign.sh
View file

@ -25,7 +25,7 @@ echo_i "ns3/sign.sh"
cp $infile $zonefile
if [ -f ../ed448-supported.file ]; then
if [ $ED448_SUPPORTED = 1 ]; then
for i in Xexample.com.+016+09713 Xexample.com.+016+38353; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"

10
bin/tests/system/eddsa/prereq.sh
View file

@ -15,12 +15,6 @@ set -e
. ../conf.sh
supported=0
if $SHELL ../testcrypto.sh ed25519; then
supported=1
if [ $ED25519_SUPPORTED = 0 ] && [ $ED448_SUPPORTED = 0 ]; then
exit 1
fi
if $SHELL ../testcrypto.sh ed448; then
supported=1
fi
[ "$supported" -eq 1 ] || exit 1

8
bin/tests/system/eddsa/setup.sh
View file

@ -15,14 +15,6 @@ set -e
. ../conf.sh
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" >ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
echo "yes" >ed448-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf

4
bin/tests/system/eddsa/tests.sh
View file

@ -22,7 +22,7 @@ dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
if [ -f ed25519-supported.file ]; then
if [ $ED25519_SUPPORTED = 1 ]; then
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed25519 positive validation works ($n)"
@ -50,7 +50,7 @@ fi
n=$((n + 1))
ret=0
if [ -f ed448-supported.file ]; then
if [ $ED448_SUPPORTED = 1 ]; then
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed448 positive validation works ($n)"

8
bin/tests/system/enginepkcs11/setup.sh
View file

@ -59,9 +59,11 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
alg_upper=$(echo "$alg" | tr '[:lower:]' '[:upper:]')
supported=$(eval "echo \$${alg_upper}_SUPPORTED")
tld="example"
if $SHELL ../testcrypto.sh $alg; then
if [ "${supported}" = 1 ]; then
zone="$alg.$tld"
zonefile="zone.$alg.$tld.db"
ret=0
@ -191,9 +193,11 @@ algtypebits="ecdsap256sha256:EC:prime256v1"
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
alg_upper=$(echo "$alg" | tr '[:lower:]' '[:upper:]')
supported=$(eval "echo \$${alg_upper}_SUPPORTED")
tld="views"
if $SHELL ../testcrypto.sh $alg; then
if [ "${supported}" = 1 ]; then
zone="$alg.$tld"
zonefile1="zone.$alg.$tld.view1.db"
zonefile2="zone.$alg.$tld.view2.db"

1
bin/tests/system/kasp/clean.sh
View file

@ -33,7 +33,6 @@ rm -rf ns3/keys/
rm -f *.created published.test* retired.test*
rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
rm -f python.out.*
rm -f *-supported.file
rm -f created.key-* unused.key-*
rm -f ns3/ksk/K* ns3/zsk/K*
rm -rf ./ns3/ksk/ ./ns3/zsk/

9
bin/tests/system/kasp/ns3/setup.sh
View file

@ -66,10 +66,7 @@ cp template.db.in "i-am.special.kasp.db"
# Set up RSASHA1 based zones
#
for zn in rsasha1 rsasha1-nsec3; do
if (
cd ..
$SHELL ../testcrypto.sh -q RSASHA1
); then
if [ $RSASHA1_SUPPORTED = 1 ]; then
setup "${zn}.kasp"
cp template.db.in "$zonefile"
else
@ -79,13 +76,13 @@ for zn in rsasha1 rsasha1-nsec3; do
fi
done
if [ -f ../ed25519-supported.file ]; then
if [ $ED25519_SUPPORTED = 1 ]; then
setup "ed25519.kasp"
cp template.db.in "$zonefile"
cat ed25519.conf >>named.conf
fi
if [ -f ../ed448-supported.file ]; then
if [ $ED448_SUPPORTED = 1 ]; then
setup "ed448.kasp"
cp template.db.in "$zonefile"
cat ed448.conf >>named.conf

14
bin/tests/system/kasp/setup.sh
View file

@ -22,7 +22,7 @@ mkdir keys
mkdir ns3/keys
copy_setports ns2/named.conf.in ns2/named.conf
if ! $SHELL ../testcrypto.sh -q RSASHA1; then
if [ $RSASHA1_SUPPORTED = 0 ]; then
copy_setports ns3/named-fips.conf.in ns3/named.conf
else
copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
@ -32,18 +32,10 @@ copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" >ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
echo "yes" >ed448-supported.file
fi
copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf
copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
if ! $SHELL ../testcrypto.sh -q RSASHA1; then
if [ $RSASHA1_SUPPORTED = 0 ]; then
cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
fi
@ -51,7 +43,7 @@ copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf
copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
if ! $SHELL ../testcrypto.sh -q RSASHA1; then
if [ $RSASHA1_SUPPORTED = 0 ]; then
cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
fi

8
bin/tests/system/kasp/tests.sh
View file

@ -826,7 +826,7 @@ set_keytimes_algorithm_policy() {
#
# Zone: rsasha1.kasp.
#
if $SHELL ../testcrypto.sh -q RSASHA1; then
if [ $RSASHA1_SUPPORTED = 1 ]; then
set_zone "rsasha1.kasp"
set_policy "rsasha1" "3" "1234"
set_server "ns3" "10.53.0.3"
@ -1173,7 +1173,7 @@ status=$((status + ret))
#
# Zone: rsasha1-nsec3.kasp.
#
if $SHELL ../testcrypto.sh -q RSASHA1; then
if [ $RSASHA1_SUPPORTED = 1 ]; then
set_zone "rsasha1-nsec3.kasp"
set_policy "rsasha1-nsec3" "3" "1234"
set_server "ns3" "10.53.0.3"
@ -1275,7 +1275,7 @@ dnssec_verify
#
# Zone: ed25519.kasp.
#
if [ -f ed25519-supported.file ]; then
if [ $ED25519_SUPPORTED = 1 ]; then
set_zone "ed25519.kasp"
set_policy "ed25519" "3" "1234"
set_server "ns3" "10.53.0.3"
@ -1297,7 +1297,7 @@ fi
#
# Zone: ed448.kasp.
#
if [ -f ed448-supported.file ]; then
if [ $ED448_SUPPORTED = 1 ]; then
set_zone "ed448.kasp"
set_policy "ed448" "3" "1234"
set_server "ns3" "10.53.0.3"

4
bin/tests/system/keyfromlabel/tests.sh
View file

@ -47,8 +47,10 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
alg_upper=$(echo "$alg" | tr '[:lower:]' '[:upper:]')
supported=$(eval "echo \$${alg_upper}_SUPPORTED")
if $SHELL ../testcrypto.sh $alg; then
if [ "${supported}" = 1 ]; then
zone="$alg.example"
zonefile="zone.$alg.example.db"
ret=0

5
bin/tests/system/nsec3/ns3/setup.sh
View file

@ -31,10 +31,7 @@ for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
setup "${zn}.kasp"
done
if (
cd ..
$SHELL ../testcrypto.sh -q RSASHA1
); then
if [ $RSASHA1_SUPPORTED = 1 ]; then
for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \
nsec3-to-rsasha1-ds; do
setup "${zn}.kasp"

2
bin/tests/system/nsec3/setup.sh
View file

@ -24,7 +24,7 @@ copy_setports ns2/named.conf.in ns2/named.conf
$SHELL setup.sh
)
if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
if [ $RSASHA1_SUPPORTED = 0 ]; then
copy_setports ns3/named-fips.conf.in ns3/named.conf
else
copy_setports ns3/named-fips.conf.in ns3/named-fips.conf

6
bin/tests/system/nsec3/tests.sh
View file

@ -242,7 +242,7 @@ set_key_default_values "KEY1"
echo_i "initial check zone ${ZONE}"
check_nsec
if ($SHELL ../testcrypto.sh -q RSASHA1); then
if [ $RSASHA1_SUPPORTED = 1 ]; then
# Zone: rsasha1-to-nsec3.kasp.
set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600
set_server "ns3" "10.53.0.3"
@ -391,7 +391,7 @@ check_nsec
# Reconfig named.
ret=0
echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
if [ $RSASHA1_SUPPORTED = 0 ]; then
copy_setports ns3/named2-fips.conf.in ns3/named.conf
else
copy_setports ns3/named2-fips.conf.in ns3/named-fips.conf
@ -407,7 +407,7 @@ set_key_default_values "KEY1"
echo_i "check zone ${ZONE} after reconfig"
check_nsec3
if ($SHELL ../testcrypto.sh -q RSASHA1); then
if [ $RSASHA1_SUPPORTED = 1 ]; then
# Zone: rsasha1-to-nsec3.kasp.
set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600
set_server "ns3" "10.53.0.3"