diff --git a/tests/integration/bind.sh b/tests/integration/bind.sh index 3a0a152c..7da08e53 100755 --- a/tests/integration/bind.sh +++ b/tests/integration/bind.sh @@ -2,78 +2,62 @@ # Copyright (C) 2024 Ondrej Moris # SPDX-License-Identifier: Apache-2.0 +if [ $# -ne 1 ]; then + echo "Usage bind.sh " + exit 1 +fi + # shellcheck disable=SC1091 source "../helpers.sh" -BASEDIR=$PWD -WORKDIR=$(mktemp -d) -PIN="123456" -PKCS11_DEBUG_FILE="${WORKDIR}/pkcs11-bind-test.log" +TOKENTYPE=$1 -install_dependencies() -{ - title PARA "Install dependencies" +# Temporary dir and Token data dir +TMPPDIR="/tmp/bind/${TOKENTYPE}" +TOKDIR="$TMPPDIR/tokens" +if [ -d "${TMPPDIR}" ]; then + rm -fr "${TMPPDIR}" +fi +mkdir -p "${TMPPDIR}" +mkdir "${TOKDIR}" - dnf install -y --skip-broken \ - meson \ - p11-kit httpd mod_ssl openssl-devel gnutls-utils nss-tools \ - p11-kit-devel opensc softhsm-devel procps-ng \ - openssl util-linux bind9-next opensc -} +PINVALUE="123456" +PINFILE="${TMPPDIR}/pinfile.txt" +echo ${PINVALUE} > "${PINFILE}" +PKCS11_DEBUG_FILE="${TMPPDIR}/pkcs11-bind-test.log" +TEST_RESULT=1 -softhsm_token_setup() +token_setup() { - title PARA "Softhsm token setup" - - cp -rnp /var/lib/softhsm/tokens{,.bck} - export PKCS11_PROVIDER_MODULE="/usr/lib64/pkcs11/libsofthsm2.so" - softhsm2-util --init-token --free --label softhsm --pin $PIN --so-pin $PIN - pkcs11-tool --module $PKCS11_PROVIDER_MODULE \ - --login --pin $PIN \ - --keypairgen --key-type rsa:2048 --label localhost-ksk - pkcs11-tool --module $PKCS11_PROVIDER_MODULE \ - --login --pin $PIN \ - --keypairgen --key-type rsa:2048 --label localhost-zsk - - title SECTION "List token content" - TOKENURL=$(p11tool --list-token-urls | grep "softhsm") - p11tool --login --set-pin "$PIN" --list-all "$TOKENURL" - title ENDSECTION -} - -pkcs11_provider_setup() -{ - title PARA "Get, compile and install pkcs11-provider" - - if [ "$GITHUB_ACTIONS" == "true" ]; then - if [ -z "$PKCS11_MODULE" ]; then - echo "ERROR: Missing PKCS11_MODULE variable!" - exit 1 - fi - echo "Skipped (running in Github Actions)" + title PARA "Token setup" + + if [ "${TOKENTYPE}" == "softhsm" ]; then + # shellcheck disable=SC1091 + source "../softhsm-init.sh" + export XDG_RUNTIME_DIR=$PWD + eval "$(p11-kit server --provider "$P11LIB" "pkcs11:")" + test -n "$P11_KIT_SERVER_PID" + export P11LIB="/usr/lib64/pkcs11/p11-kit-client.so" + elif [ "${TOKENTYPE}" == "softokn" ]; then + # shellcheck disable=SC1091 + SHARED_EXT=".so" SOFTOKNPATH="/usr/lib64" source "../softokn-init.sh" + elif [ "${TOKENTYPE}" == "kryoptic" ]; then + # shellcheck disable=SC1091 + source "../kryoptic-init.sh" else - git clone \ - "${GIT_URL:-"https://github.com/latchset/pkcs11-provider.git"}" \ - "${WORKDIR}"/pkcs11-provider - pushd "${WORKDIR}"/pkcs11-provider - git checkout "${GIT_REF:-"main"}" - meson setup -Dlibdir=/usr/lib64 builddir - meson compile -C builddir - meson install -C builddir - popd - export PKCS11_MODULE=/usr/lib64/ossl-modules/pkcs11.so + echo "Unknown token type: $TOKENTYPE" + exit 1 fi - test -e "$PKCS11_MODULE" -} + export PKCS11_PROVIDER_MODULE=$P11LIB + ${TOKENCONFIGVARS} -p11kit_server_setup() -{ - title PARA "Proxy module driver through p11-kit server" + ARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}") + pkcs11-tool "${ARGS[@]}" --keypairgen --key-type rsa:2048 --id '0001' --label localhost-ksk + pkcs11-tool "${ARGS[@]}" --keypairgen --key-type rsa:2048 --id '0002' --label localhost-zsk - export XDG_RUNTIME_DIR=$PWD - eval "$(p11-kit server --provider "$PKCS11_PROVIDER_MODULE" "pkcs11:")" - test -n "$P11_KIT_SERVER_PID" - export PKCS11_PROVIDER_MODULE="/usr/lib64/pkcs11/p11-kit-client.so" + title SECTION "List token content" + pkcs11-tool "${ARGS[@]}" -O + title ENDSECTION } openssl_setup() @@ -82,93 +66,73 @@ openssl_setup() sed \ -e "s|\(default = default_sect\)|\1\npkcs11 = pkcs11_sect\n|" \ - -e "s|\(\[default_sect\]\)|\[pkcs11_sect\]\n\1|" \ + -e "s|\(\[default_sect\]\)|\[pkcs11_sect\]\n$TOKENOPTIONS\n\1|" \ -e "s|\(\[default_sect\]\)|module = $PKCS11_MODULE\n\1|" \ - -e "s|\(\[default_sect\]\)|pkcs11-module-load-behavior = early\n\1|" \ -e "s|\(\[default_sect\]\)|activate = 1\n\n\1|" \ - /etc/pki/tls/openssl.cnf >"${WORKDIR}"/openssl.cnf - - title SECTION "openssl.cnf" - cat "${WORKDIR}"/openssl.cnf - title ENDSECTION + -e "s|\(\[default_sect\]\)|pkcs11-module-token-pin = file:$PINFILE\n\1|" \ + /etc/pki/tls/openssl.cnf >"${TMPPDIR}"/openssl.cnf } bind_setup() { title PARA "Bind setup" - cp /var/named/named.localhost "${WORKDIR}"/localhost + cp /var/named/named.localhost "${TMPPDIR}"/localhost } bind_test() { title PARA "Bind test" + ( + export OPENSSL_CONF=${TMPPDIR}/openssl.cnf + export PKCS11_PROVIDER_DEBUG=file:${PKCS11_DEBUG_FILE} + + title SECTION "Test 1: Extract KSK and ZSK keys from PKCS11 URIs" + dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:object=localhost-zsk" -K "$TMPPDIR" localhost + dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:object=localhost-ksk" -K "$TMPPDIR" -f KSK localhost + for K in "${TMPPDIR}"/*.key; do + cat "$K" >>"${TMPPDIR}/localhost" + done + test -s "${PKCS11_DEBUG_FILE}" + title ENDSECTION - TOKENURL=$(p11tool --list-token-urls | grep "softhsm") - KSKURL="$(p11tool --login --set-pin "$PIN" --list-keys "$TOKENURL" \ - | grep 'URL:.*object=localhost-ksk' \ - | awk '{ print $NF }' \ - | sed "s/type=.*\$/pin-value=$PIN/")" - ZSKURL="$(p11tool --login --set-pin "$PIN" --list-keys "$TOKENURL" \ - | grep 'URL:.*object=localhost-zsk' \ - | awk '{ print $NF }' \ - | sed "s/type=.*\$/pin-value=$PIN/")" - - pushd "$WORKDIR" - - title PARA "Test 1: Extract KSK and ZSK keys from PKCS11 URIs" - PKCS11_PROVIDER_DEBUG=file:${PKCS11_DEBUG_FILE}.extract \ - OPENSSL_CONF=openssl.cnf \ - dnssec-keyfromlabel -a RSASHA256 -l "$ZSKURL" localhost - PKCS11_PROVIDER_DEBUG=file:${PKCS11_DEBUG_FILE}.extract \ - OPENSSL_CONF=openssl.cnf \ - dnssec-keyfromlabel -a RSASHA256 -l "$KSKURL" -f KSK localhost - for K in *.key; do - cat "$K" >>localhost - done - test -s "${PKCS11_DEBUG_FILE}".extract - - title PARA "Test 2: Sign zone" - PKCS11_PROVIDER_DEBUG=file:${PKCS11_DEBUG_FILE}.sign \ - OPENSSL_CONF=openssl.cnf \ - dnssec-signzone -o localhost localhost - test -s "${PKCS11_DEBUG_FILE}".sign - - popd - echo "Test passed" + title SECTION "Test 2: Sign zone" + dnssec-signzone -o localhost -K "$TMPPDIR" "${TMPPDIR}/localhost" + test -s "${PKCS11_DEBUG_FILE}" + title ENDSECTION + ) + title LINE "PASSED" + TEST_RESULT=0 } +# shellcheck disable=SC2317 cleanup() { title PARA "Clean-up" - for L in "${PKCS11_DEBUG_FILE}".*; do - title SECTION "$L" - cat "$L" - title ENDSECTION - done - - pushd "$BASEDIR" >/dev/null - rm -rf "$WORKDIR" - if [ -e /var/lib/softhsm/tokens.bck ]; then - rm -rf /var/lib/softhsm/tokens - mv /var/lib/softhsm/tokens.bck /var/lib/softhsm/tokens + if [ "$TEST_RESULT" -ne 0 ]; then + for L in ${TMPPDIR}/openssl.cnf $PKCS11_DEBUG_FILE; do + if [ -e "$L" ]; then + title SECTION "$L" + cat "$L" + title ENDSECTION + fi + done fi - cleanup_server "p11-kit" "$P11_KIT_SERVER_PID" - title LINE "Done" + if [ "${TOKENTYPE}" == "softhsm" ]; then + cleanup_server "p11-kit" "$P11_KIT_SERVER_PID" + fi } - trap "cleanup" EXIT # Setup. -install_dependencies -softhsm_token_setup -p11kit_server_setup -pkcs11_provider_setup +token_setup openssl_setup bind_setup # Test. bind_test + +exit $TEST_RESULT