From c4bfd0bbbb15deb12e2da480c69454ab736d5823 Mon Sep 17 00:00:00 2001

From: Stanislav Levin <slev@altlinux.org>

Date: Tue, 12 Oct 2021 17:28:43 +0300

Subject: [PATCH] ALT: tests: Add tests for signing with custom OpenSSL engine

Signing facilities of named (DNSSEC) on HSM can be setup in two ways

either compiling with Native PKC11 or using of custom OpenSSL engine.

For example, the latter is used in FreeIPA (libp11 engine for OpenSSL).

The engine is going to be used only for PKCS11 operations.

See

https://gitlab.isc.org/isc-projects/bind9/-/issues/1228

https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11

---

 bind/bin/tests/prepare-softhsm2.sh    | 21 +++++++++-

 bind/bin/tests/system/cleanpkcs11.sh  |  9 +++--

 bind/bin/tests/system/conf.sh.in      | 12 ++++--

 bind/bin/tests/system/pkcs11/setup.sh | 46 +++++++++++++++------

 bind/bin/tests/system/pkcs11/tests.sh | 58 ++++++++++++++++++++++-----

 bind/bin/tests/system/run.sh          |  2 +-

 bind/bin/tests/system/start.pl        |  4 ++

 7 files changed, 122 insertions(+), 30 deletions(-)

diff --git a/bind/bin/tests/prepare-softhsm2.sh b/bind/bin/tests/prepare-softhsm2.sh

index f1fa19433de..452e0515ebe 100755

--- a/bind/bin/tests/prepare-softhsm2.sh

+++ b/bind/bin/tests/prepare-softhsm2.sh

@@ -11,12 +11,31 @@

 # See the COPYRIGHT file distributed with this work for additional

 # information regarding copyright ownership.

-if [ -n "${SOFTHSM2_CONF}" ] && command -v softhsm2-util >/dev/null; then

+if [ -n "${SOFTHSM2_CONF:-}" ] && command -v softhsm2-util >/dev/null; then

     SOFTHSM2_DIR=$(dirname "$SOFTHSM2_CONF")

     mkdir -p "${SOFTHSM2_DIR}/tokens"

     echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}"

     echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}"

     echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}"

     softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'

+

+    if [ -n "${PKCS11_ENGINE:-}" ]; then

+        OPENSSL_CONF_DIR=$(dirname "$OPENSSL_CONF")

+        mkdir -p "${OPENSSL_CONF_DIR}"

+        cat > "$OPENSSL_CONF"<<EOF

+openssl_conf = openssl_init

+

+[openssl_init]

+engines = engine_section

+

+[engine_section]

+pkcs11 = pkcs11_section

+

+[pkcs11_section]

+engine_id = pkcs11

+MODULE_PATH = $SOFTHSM_MODULE_PATH

+init=0

+EOF

+    fi

 fi

 exit 0

diff --git a/bind/bin/tests/system/cleanpkcs11.sh b/bind/bin/tests/system/cleanpkcs11.sh

index ff8acd0b184..a21f07e4a28 100644

--- a/bind/bin/tests/system/cleanpkcs11.sh

+++ b/bind/bin/tests/system/cleanpkcs11.sh

@@ -13,6 +13,9 @@

 . "$SYSTEMTESTTOP/conf.sh"

-PK11DELBIN=$(echo "$PK11DEL" | awk '{ print $1 }')

-

-[ -x "$PK11DELBIN" ] && $PK11DEL -w0 > /dev/null 2>&1

+if [ -n "${PKCS11_ENGINE:-}" ]; then

+    softhsm2-util --delete-token --token softhsm2 >/dev/null ||:

+else

+    PK11DELBIN=$(echo "$PK11DEL" | awk '{ print $1 }')

+    [ -x "$PK11DELBIN" ] && $PK11DEL -w0 > /dev/null 2>&1

+fi

diff --git a/bind/bin/tests/system/conf.sh.in b/bind/bin/tests/system/conf.sh.in

index b9641c42b2d..974b4405134 100644

--- a/bind/bin/tests/system/conf.sh.in

+++ b/bind/bin/tests/system/conf.sh.in

@@ -54,9 +54,15 @@ NSEC3HASH=$TOP/bin/tools/nsec3hash

 export NSLOOKUP=$TOP/bin/dig/nslookup

 export NSUPDATE=$TOP/bin/nsupdate/nsupdate

 export NZD2NZF=$TOP/bin/tools/named-nzd2nzf

-export PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"

-export PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"

-export PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"

+if [ -n "${PKCS11_ENGINE:-}" ]; then

+    export PK11DEL_OPENSSL="pkcs11-tool --module $SOFTHSM_MODULE_PATH --slot ${SLOT:-0} --pin ${HSMPIN:-1234} --delete-object"

+    export PK11GEN_OPENSSL="pkcs11-tool --module $SOFTHSM_MODULE_PATH --slot ${SLOT:-0} --pin ${HSMPIN:-1234} --keypairgen --usage-sign"

+    export PK11LIST_OPENSSL="pkcs11-tool --list-objects --module $SOFTHSM_MODULE_PATH --slot ${SLOT:-0} --pin ${HSMPIN:-1234}"

+else

+    export PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"

+    export PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"

+    export PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"

+fi

 export REVOKE=$TOP/bin/dnssec/dnssec-revoke

 export RNDC=$TOP/bin/rndc/rndc

 export RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen

diff --git a/bind/bin/tests/system/pkcs11/setup.sh b/bind/bin/tests/system/pkcs11/setup.sh

index b592fd095ca..140b16d447e 100644

--- a/bind/bin/tests/system/pkcs11/setup.sh

+++ b/bind/bin/tests/system/pkcs11/setup.sh

@@ -17,7 +17,7 @@ SYSTEMTESTTOP=..

 # shellcheck source=conf.sh

 . "$SYSTEMTESTTOP/conf.sh"

-echo_i "Generating keys for Native PKCS#11" >&2

+echo_i "Generating keys for ${PKCS11_ENGINE:-Native PKCS#11}" >&2

 infile=ns1/example.db.in

@@ -27,17 +27,28 @@ PWD=$(pwd)

 copy_setports ns1/named.conf.in ns1/named.conf

 get_random() {

-    dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An

+    id_format="u2"

+    if test -n "$PKCS11_ENGINE"; then

+        id_format="x2"

+    fi

+    dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -t"$id_format" -An | tr -d '[:blank:]'

 }

 genpkcs() (

     alg="$1"

     bits="$2"

     label="$3"

+    alg_type="$5"

     id="$(get_random)"

-    $PK11DEL -l "$label" -w0 >/dev/null || true

-    $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null

+    if [ -n "${PKCS11_ENGINE:-}" ]; then

+        $PK11DEL_OPENSSL --label "$label" --type privkey >/dev/null ||:

+        $PK11DEL_OPENSSL --label "$label" --type pubkey >/dev/null ||:

+        $PK11GEN_OPENSSL --key-type "$alg_type" --id "$id" --label "$label" >/dev/null

+    else

+        $PK11DEL -l "$label" -w0 >/dev/null || true

+        $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null

+    fi

 )

 keyfrlab() (

@@ -45,9 +56,10 @@ keyfrlab() (

     bits="$2"

     label="$3"

     zone="$4"

-    shift 4

+    alt_type="$5"

+    shift 5

-    $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"

+    $KEYFRLAB ${PKCS11_ENGINE:+-E $PKCS11_ENGINE} -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"

 )

 genzsk() (

@@ -61,22 +73,30 @@ genksk() (

 )

 algs=

-for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do

+

+algs_to_check='rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456'

+if [ -n "${PKCS11_ENGINE:-}" ]; then

+    # ed25519:ec@edwards25519:256 is not supported by libp11 (end of 2021)

+    algs_to_check='rsasha256:2048:rsa@2048 rsasha512:2048:rsa@2048 ecdsap256sha256:256:ec@prime256v1 ecdsap384sha384:384:ec@prime384v1'

+fi

+

+for algbits in $algs_to_check; do

     alg=$(echo "$algbits" | cut -f 1 -d :)

     bits=$(echo "$algbits" | cut -f 2 -d :)

+    alg_type=$(echo "$algbits" | cut -f 3 -d : | tr '@' ':')

     zone="$alg.example"

     zonefile="ns1/$alg.example.db"

     if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then

 	echo "$alg" >> supported

 	algs="$algs$alg "

-	zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone")

-	zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone")

-	ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone")

-	ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone")

+	zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone" "$alg_type")

+	zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone" "$alg_type")

+	ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone" "$alg_type")

+	ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone" "$alg_type")

 	cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile"

-	$SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null

+	$SIGNER ${PKCS11_ENGINE:+-E $PKCS11_ENGINE} -a -P -g -o "$zone" "$zonefile" > /dev/null

 	cp "$zsk2.key" "ns1/$alg.zsk"

 	cp "$ksk2.key" "ns1/$alg.ksk"

 	mv "K$alg"* ns1/

@@ -91,4 +111,4 @@ zone "$alg.example." {

 EOF

     fi

 done

-echo_i "Generated keys for Native PKCS#11: $algs"

+echo_i "Generated keys for ${PKCS11_ENGINE:-Native PKCS#11}: $algs"

diff --git a/bind/bin/tests/system/pkcs11/tests.sh b/bind/bin/tests/system/pkcs11/tests.sh

index e8d7cb63744..43018529957 100644

--- a/bind/bin/tests/system/pkcs11/tests.sh

+++ b/bind/bin/tests/system/pkcs11/tests.sh

@@ -47,7 +47,11 @@ n=0

 while read -r alg; do

     zonefile=ns1/$alg.example.db

     echo_i "testing PKCS#11 key generation ($alg)"

-    count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)

+    if [ -n "$PKCS11_ENGINE" ]; then

+        count=$($PK11LIST_OPENSSL | grep -c "pkcs11-$alg-ksk" || true)

+    else

+        count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)

+    fi

     [ "$count" -eq 4 ] || ret=1

     test_done

@@ -99,37 +103,73 @@ EOF

     # Lookup all existing keys

     echo_i "looking up all existing keys ($alg)"

-    $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1

+    if [ -n "$PKCS11_ENGINE" ]; then

+        $PK11LIST_OPENSSL > "pkcs11-list.out.id.$alg" || ret=1

+    else

+        $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1

+    fi

     test_done

     echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)"

-    $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1

+    if [ -n "$PKCS11_ENGINE" ]; then

+        $PK11DEL_OPENSSL --label "pkcs11-$alg-ksk1" --type privkey > /dev/null 2>&1 || ret=1

+        $PK11DEL_OPENSSL --label "pkcs11-$alg-ksk1" --type pubkey > /dev/null 2>&1 || ret=1

+    else

+        $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1

+    fi

     test_done

     echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)"

-    $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1

+    if [ -n "$PKCS11_ENGINE" ]; then

+        $PK11DEL_OPENSSL --label "pkcs11-$alg-zsk1" --type privkey > /dev/null 2>&1 || ret=1

+        $PK11DEL_OPENSSL --label "pkcs11-$alg-zsk1" --type pubkey > /dev/null 2>&1 || ret=1

+    else

+        $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1

+    fi

     test_done

-    id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")

+    if [ -n "$PKCS11_ENGINE" ]; then

+        id=$(cat "pkcs11-list.out.id.$alg" | grep -oiPz "[[:space:]]*label:[[:space:]]*pkcs11-$alg-ksk2\n[[:space:]]*ID:[[:space:]]*.*\n" | head -z -n 1 | sed -n 's/^[[:space:]]*ID:[[:space:]]*\(.*\)$/\1/p')

+    else

+        id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")

+    fi

     echo_i "destroying key with $id id ($alg)"

     if [ -n "$id" ]; then

-	$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1

+        if [ -n "$PKCS11_ENGINE" ]; then

+            $PK11DEL_OPENSSL --type privkey --id "$id" > /dev/null 2>&1 || ret=1

+            $PK11DEL_OPENSSL --type pubkey --id "$id" > /dev/null 2>&1 || ret=1

+        else

+            $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1

+        fi

     else

 	ret=1

     fi

     test_done

-    id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")

+    if [ -n "$PKCS11_ENGINE" ]; then

+        id=$(cat "pkcs11-list.out.id.$alg" | grep -oiPz "[[:space:]]*label:[[:space:]]*pkcs11-$alg-zsk2\n[[:space:]]*ID:[[:space:]]*.*\n" | head -z -n 1 | sed -n 's/^[[:space:]]*ID:[[:space:]]*\(.*\)$/\1/p')

+    else

+        id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")

+    fi

     echo_i "destroying key with $id id ($alg)"

     if [ -n "$id" ]; then

-	$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1

+        if [ -n "$PKCS11_ENGINE" ]; then

+            $PK11DEL_OPENSSL --type privkey --id "$id" > /dev/null 2>&1 || ret=1

+            $PK11DEL_OPENSSL --type pubkey --id "$id" > /dev/null 2>&1 || ret=1

+        else

+            $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1

+        fi

     else

 	ret=1

     fi

     test_done

     echo_i "checking if all keys have been destroyed ($alg)"

-    $PK11LIST > "pkcs11-list.out.$alg" || ret=1

+    if [ -n "$PKCS11_ENGINE" ]; then

+        $PK11LIST_OPENSSL > "pkcs11-list.out.$alg" || ret=1

+    else

+        $PK11LIST > "pkcs11-list.out.$alg" || ret=1

+    fi

     count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true)

     [ "$count" -eq 0 ] || ret=1

     test_done

diff --git a/bind/bin/tests/system/run.sh b/bind/bin/tests/system/run.sh

index 14a10670fa8..e2cf3f36413 100755

--- a/bind/bin/tests/system/run.sh

+++ b/bind/bin/tests/system/run.sh

@@ -182,7 +182,7 @@ fi

 # Check for PKCS#11 support

 if

-    test ! -f $systest/usepkcs11 || $SHELL cleanpkcs11.sh

+    test ! -f $systest/usepkcs11 -o -n "$PKCS11_ENGINE" || $SHELL cleanpkcs11.sh

 then

     : pkcs11 ok

 else

diff --git a/bind/bin/tests/system/start.pl b/bind/bin/tests/system/start.pl

index 657d9880807..70b59838d02 100755

--- a/bind/bin/tests/system/start.pl

+++ b/bind/bin/tests/system/start.pl

@@ -282,6 +282,10 @@ sub construct_ns_command {

 		$command .= "-c named.conf -d 99 -g -U 4 -T maxcachesize=2097152";

 	}

+	if ($ENV{'PKCS11_ENGINE'}) {

+		$command .= " -E $ENV{'PKCS11_ENGINE'}";

+	}

+

 	if (-e "$testdir/$server/named.notcp") {

 		$command .= " -T notcp"

 	}

-- 

2.33.4