1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0. If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14# shellcheck source=conf.sh
15. ../conf.sh
16
17set -e
18
19softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
20
21printf '%s' "${HSMPIN:-1234}" >pin
22PWD=$(pwd)
23
24copy_setports ns1/named.conf.in ns1/named.conf
25
26keygen() {
27  type="$1"
28  bits="$2"
29  zone="$3"
30  id="$4"
31
32  label="${id}-${zone}"
33  p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
34  pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
35}
36
37keyfromlabel() {
38  alg="$1"
39  zone="$2"
40  id="$3"
41  dir="$4"
42  shift 4
43
44  $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
45  cat keyfromlabel.out.$zone.$id
46}
47
48# Setup ns1.
49dir="ns1"
50infile="${dir}/template.db.in"
51for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
52  ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
53  # ed25519:EC:edwards25519 ed448:EC:edwards448
54  alg=$(echo "$algtypebits" | cut -f 1 -d :)
55  type=$(echo "$algtypebits" | cut -f 2 -d :)
56  bits=$(echo "$algtypebits" | cut -f 3 -d :)
57
58  if $SHELL ../testcrypto.sh $alg; then
59    zone="$alg.example"
60    zonefile="zone.$alg.example.db"
61    ret=0
62
63    echo_i "Generate keys $alg $type:$bits for zone $zone"
64    keygen $type $bits $zone enginepkcs11-zsk || ret=1
65    keygen $type $bits $zone enginepkcs11-ksk || ret=1
66    test "$ret" -eq 0 || exit 1
67
68    echo_i "Get ZSK $alg $zone $type:$bits"
69    zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir)
70    test -z "$zsk1" && exit 1
71
72    echo_i "Get KSK $alg $zone $type:$bits"
73    ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK)
74    test -z "$ksk1" && exit 1
75
76    (
77      cd $dir
78      zskid1=$(keyfile_to_key_id $zsk1)
79      kskid1=$(keyfile_to_key_id $ksk1)
80      echo "$zskid1" >$zone.zskid1
81      echo "$kskid1" >$zone.kskid1
82    )
83
84    echo_i "Sign zone with $ksk1 $zsk1"
85    cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}"
86    $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1
87    test "$ret" -eq 0 || exit 1
88
89    echo_i "Generate successor keys $alg $type:$bits for zone $zone"
90    keygen $type $bits $zone enginepkcs11-zsk2 || ret=1
91    keygen $type $bits $zone enginepkcs11-ksk2 || ret=1
92    test "$ret" -eq 0 || exit 1
93
94    echo_i "Get ZSK $alg $id-$zone $type:$bits"
95    zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir)
96    test -z "$zsk2" && exit 1
97
98    echo_i "Get KSK $alg $id-$zone $type:$bits"
99    ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK)
100    test -z "$ksk2" && exit 1
101
102    (
103      cd $dir
104      zskid2=$(keyfile_to_key_id $zsk2)
105      kskid2=$(keyfile_to_key_id $ksk2)
106      echo "$zskid2" >$zone.zskid2
107      echo "$kskid2" >$zone.kskid2
108      cp "${zsk2}.key" "${zsk2}.zsk2"
109      cp "${ksk2}.key" "${ksk2}.ksk2"
110    )
111
112    echo_i "Add zone $zone to named.conf"
113    cat >>"${dir}/named.conf" <<EOF
114zone "$zone" {
115	type primary;
116	file "${zonefile}.signed";
117	allow-update { any; };
118};
119
120EOF
121  fi
122done
123