Skip to content

Commit

Permalink
tests: support for all three tokens in bind test
Browse files Browse the repository at this point in the history 
Signed-off-by: Ondrej Moris <[email protected]>
  • Loading branch information
@The-Mule
The-Mule committed Oct 9, 2024
1 parent 1d89ee0 commit 308d7b5
Showing 1 changed file with 83 additions and 119 deletions.
202 changes: 83 additions & 119 deletions tests/integration/bind.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,78 +2,62 @@
# Copyright (C) 2024 Ondrej Moris <[email protected]>
# SPDX-License-Identifier: Apache-2.0

if [ $# -ne 1 ]; then
echo "Usage bind.sh <tokentype>"
exit 1
fi

# shellcheck disable=SC1091
source "../helpers.sh"

BASEDIR=$PWD
WORKDIR=$(mktemp -d)
PIN="123456"
PKCS11_DEBUG_FILE="${WORKDIR}/pkcs11-bind-test.log"
TOKENTYPE=$1

install_dependencies()
{
title PARA "Install dependencies"
# Temporary dir and Token data dir
TMPPDIR="/tmp/bind/${TOKENTYPE}"
TOKDIR="$TMPPDIR/tokens"
if [ -d "${TMPPDIR}" ]; then
rm -fr "${TMPPDIR}"
fi
mkdir -p "${TMPPDIR}"
mkdir "${TOKDIR}"

dnf install -y --skip-broken \
meson \
p11-kit httpd mod_ssl openssl-devel gnutls-utils nss-tools \
p11-kit-devel opensc softhsm-devel procps-ng \
openssl util-linux bind9-next opensc
}
PINVALUE="123456"
PINFILE="${TMPPDIR}/pinfile.txt"
echo ${PINVALUE} > "${PINFILE}"
PKCS11_DEBUG_FILE="${TMPPDIR}/pkcs11-bind-test.log"
TEST_RESULT=1

softhsm_token_setup()
token_setup()
{
title PARA "Softhsm token setup"

cp -rnp /var/lib/softhsm/tokens{,.bck}
export PKCS11_PROVIDER_MODULE="/usr/lib64/pkcs11/libsofthsm2.so"
softhsm2-util --init-token --free --label softhsm --pin $PIN --so-pin $PIN
pkcs11-tool --module $PKCS11_PROVIDER_MODULE \
--login --pin $PIN \
--keypairgen --key-type rsa:2048 --label localhost-ksk
pkcs11-tool --module $PKCS11_PROVIDER_MODULE \
--login --pin $PIN \
--keypairgen --key-type rsa:2048 --label localhost-zsk

title SECTION "List token content"
TOKENURL=$(p11tool --list-token-urls | grep "softhsm")
p11tool --login --set-pin "$PIN" --list-all "$TOKENURL"
title ENDSECTION
}

pkcs11_provider_setup()
{
title PARA "Get, compile and install pkcs11-provider"

if [ "$GITHUB_ACTIONS" == "true" ]; then
if [ -z "$PKCS11_MODULE" ]; then
echo "ERROR: Missing PKCS11_MODULE variable!"
exit 1
fi
echo "Skipped (running in Github Actions)"
title PARA "Token setup"

if [ "${TOKENTYPE}" == "softhsm" ]; then
# shellcheck disable=SC1091
source "../softhsm-init.sh"
export XDG_RUNTIME_DIR=$PWD
eval "$(p11-kit server --provider "$P11LIB" "pkcs11:")"
test -n "$P11_KIT_SERVER_PID"
export P11LIB="/usr/lib64/pkcs11/p11-kit-client.so"
elif [ "${TOKENTYPE}" == "softokn" ]; then
# shellcheck disable=SC1091
SHARED_EXT=".so" SOFTOKNPATH="/usr/lib64" source "../softokn-init.sh"
elif [ "${TOKENTYPE}" == "kryoptic" ]; then
# shellcheck disable=SC1091
source "../kryoptic-init.sh"
else
git clone \
"${GIT_URL:-"https://github.com/latchset/pkcs11-provider.git"}" \
"${WORKDIR}"/pkcs11-provider
pushd "${WORKDIR}"/pkcs11-provider
git checkout "${GIT_REF:-"main"}"
meson setup -Dlibdir=/usr/lib64 builddir
meson compile -C builddir
meson install -C builddir
popd
export PKCS11_MODULE=/usr/lib64/ossl-modules/pkcs11.so
echo "Unknown token type: $TOKENTYPE"
exit 1
fi
test -e "$PKCS11_MODULE"
}
export PKCS11_PROVIDER_MODULE=$P11LIB
${TOKENCONFIGVARS}

p11kit_server_setup()
{
title PARA "Proxy module driver through p11-kit server"
ARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}")
pkcs11-tool "${ARGS[@]}" --keypairgen --key-type rsa:2048 --id '0001' --label localhost-ksk
pkcs11-tool "${ARGS[@]}" --keypairgen --key-type rsa:2048 --id '0002' --label localhost-zsk

export XDG_RUNTIME_DIR=$PWD
eval "$(p11-kit server --provider "$PKCS11_PROVIDER_MODULE" "pkcs11:")"
test -n "$P11_KIT_SERVER_PID"
export PKCS11_PROVIDER_MODULE="/usr/lib64/pkcs11/p11-kit-client.so"
title SECTION "List token content"
pkcs11-tool "${ARGS[@]}" -O
title ENDSECTION
}

openssl_setup()
Expand All @@ -82,93 +66,73 @@ openssl_setup()

sed \
-e "s|\(default = default_sect\)|\1\npkcs11 = pkcs11_sect\n|" \
-e "s|\(\[default_sect\]\)|\[pkcs11_sect\]\n\1|" \
-e "s|\(\[default_sect\]\)|\[pkcs11_sect\]\n$TOKENOPTIONS\n\1|" \
-e "s|\(\[default_sect\]\)|module = $PKCS11_MODULE\n\1|" \
-e "s|\(\[default_sect\]\)|pkcs11-module-load-behavior = early\n\1|" \
-e "s|\(\[default_sect\]\)|activate = 1\n\n\1|" \
/etc/pki/tls/openssl.cnf >"${WORKDIR}"/openssl.cnf

title SECTION "openssl.cnf"
cat "${WORKDIR}"/openssl.cnf
title ENDSECTION
-e "s|\(\[default_sect\]\)|pkcs11-module-token-pin = file:$PINFILE\n\1|" \
/etc/pki/tls/openssl.cnf >"${TMPPDIR}"/openssl.cnf
}

bind_setup()
{
title PARA "Bind setup"

cp /var/named/named.localhost "${WORKDIR}"/localhost
cp /var/named/named.localhost "${TMPPDIR}"/localhost
}

bind_test()
{
title PARA "Bind test"
(
export OPENSSL_CONF=${TMPPDIR}/openssl.cnf
export PKCS11_PROVIDER_DEBUG=file:${PKCS11_DEBUG_FILE}

title SECTION "Test 1: Extract KSK and ZSK keys from PKCS11 URIs"
dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:object=localhost-zsk" -K "$TMPPDIR" localhost
dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:object=localhost-ksk" -K "$TMPPDIR" -f KSK localhost
for K in "${TMPPDIR}"/*.key; do
cat "$K" >>"${TMPPDIR}/localhost"
done
test -s "${PKCS11_DEBUG_FILE}"
title ENDSECTION

TOKENURL=$(p11tool --list-token-urls | grep "softhsm")
KSKURL="$(p11tool --login --set-pin "$PIN" --list-keys "$TOKENURL" \
| grep 'URL:.*object=localhost-ksk' \
| awk '{ print $NF }' \
| sed "s/type=.*\$/pin-value=$PIN/")"
ZSKURL="$(p11tool --login --set-pin "$PIN" --list-keys "$TOKENURL" \
| grep 'URL:.*object=localhost-zsk' \
| awk '{ print $NF }' \
| sed "s/type=.*\$/pin-value=$PIN/")"

pushd "$WORKDIR"

title PARA "Test 1: Extract KSK and ZSK keys from PKCS11 URIs"
PKCS11_PROVIDER_DEBUG=file:${PKCS11_DEBUG_FILE}.extract \
OPENSSL_CONF=openssl.cnf \
dnssec-keyfromlabel -a RSASHA256 -l "$ZSKURL" localhost
PKCS11_PROVIDER_DEBUG=file:${PKCS11_DEBUG_FILE}.extract \
OPENSSL_CONF=openssl.cnf \
dnssec-keyfromlabel -a RSASHA256 -l "$KSKURL" -f KSK localhost
for K in *.key; do
cat "$K" >>localhost
done
test -s "${PKCS11_DEBUG_FILE}".extract

title PARA "Test 2: Sign zone"
PKCS11_PROVIDER_DEBUG=file:${PKCS11_DEBUG_FILE}.sign \
OPENSSL_CONF=openssl.cnf \
dnssec-signzone -o localhost localhost
test -s "${PKCS11_DEBUG_FILE}".sign

popd
echo "Test passed"
title SECTION "Test 2: Sign zone"
dnssec-signzone -o localhost -K "$TMPPDIR" "${TMPPDIR}/localhost"
test -s "${PKCS11_DEBUG_FILE}"
title ENDSECTION
)
title LINE "PASSED"
TEST_RESULT=0
}

# shellcheck disable=SC2317
cleanup()
{
title PARA "Clean-up"

for L in "${PKCS11_DEBUG_FILE}".*; do
title SECTION "$L"
cat "$L"
title ENDSECTION
done

pushd "$BASEDIR" >/dev/null
rm -rf "$WORKDIR"
if [ -e /var/lib/softhsm/tokens.bck ]; then
rm -rf /var/lib/softhsm/tokens
mv /var/lib/softhsm/tokens.bck /var/lib/softhsm/tokens
if [ "$TEST_RESULT" -ne 0 ]; then
for L in ${TMPPDIR}/openssl.cnf $PKCS11_DEBUG_FILE; do
if [ -e "$L" ]; then
title SECTION "$L"
cat "$L"
title ENDSECTION
fi
done
fi
cleanup_server "p11-kit" "$P11_KIT_SERVER_PID"

title LINE "Done"
if [ "${TOKENTYPE}" == "softhsm" ]; then
cleanup_server "p11-kit" "$P11_KIT_SERVER_PID"
fi
}


trap "cleanup" EXIT

# Setup.
install_dependencies
softhsm_token_setup
p11kit_server_setup
pkcs11_provider_setup
token_setup
openssl_setup
bind_setup

# Test.
bind_test

exit $TEST_RESULT

0 comments on commit 308d7b5

Please sign in to comment.