1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15. ../conf.sh 16 17set -e 18 19softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' 20 21printf '%s' "${HSMPIN:-1234}" >pin 22PWD=$(pwd) 23 24copy_setports ns1/named.conf.in ns1/named.conf 25 26keygen() { 27 type="$1" 28 bits="$2" 29 zone="$3" 30 id="$4" 31 32 label="${id}-${zone}" 33 p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') 34 pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1 35} 36 37keyfromlabel() { 38 alg="$1" 39 zone="$2" 40 id="$3" 41 dir="$4" 42 shift 4 43 44 $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 45 cat keyfromlabel.out.$zone.$id 46} 47 48# Setup ns1. 49dir="ns1" 50infile="${dir}/template.db.in" 51for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ 52 ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC 53 # ed25519:EC:edwards25519 ed448:EC:edwards448 54 alg=$(echo "$algtypebits" | cut -f 1 -d :) 55 type=$(echo "$algtypebits" | cut -f 2 -d :) 56 bits=$(echo "$algtypebits" | cut -f 3 -d :) 57 58 if $SHELL ../testcrypto.sh $alg; then 59 zone="$alg.example" 60 zonefile="zone.$alg.example.db" 61 ret=0 62 63 echo_i "Generate keys $alg $type:$bits for zone $zone" 64 keygen $type $bits $zone enginepkcs11-zsk || ret=1 65 keygen $type $bits $zone enginepkcs11-ksk || ret=1 66 test "$ret" -eq 0 || exit 1 67 68 echo_i "Get ZSK $alg $zone $type:$bits" 69 zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) 70 test -z "$zsk1" && exit 1 71 72 echo_i "Get KSK $alg $zone $type:$bits" 73 ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) 74 test -z "$ksk1" && exit 1 75 76 ( 77 cd $dir 78 zskid1=$(keyfile_to_key_id $zsk1) 79 kskid1=$(keyfile_to_key_id $ksk1) 80 echo "$zskid1" >$zone.zskid1 81 echo "$kskid1" >$zone.kskid1 82 ) 83 84 echo_i "Sign zone with $ksk1 $zsk1" 85 cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}" 86 $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 87 test "$ret" -eq 0 || exit 1 88 89 echo_i "Generate successor keys $alg $type:$bits for zone $zone" 90 keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 91 keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 92 test "$ret" -eq 0 || exit 1 93 94 echo_i "Get ZSK $alg $id-$zone $type:$bits" 95 zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) 96 test -z "$zsk2" && exit 1 97 98 echo_i "Get KSK $alg $id-$zone $type:$bits" 99 ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) 100 test -z "$ksk2" && exit 1 101 102 ( 103 cd $dir 104 zskid2=$(keyfile_to_key_id $zsk2) 105 kskid2=$(keyfile_to_key_id $ksk2) 106 echo "$zskid2" >$zone.zskid2 107 echo "$kskid2" >$zone.kskid2 108 cp "${zsk2}.key" "${zsk2}.zsk2" 109 cp "${ksk2}.key" "${ksk2}.ksk2" 110 ) 111 112 echo_i "Add zone $zone to named.conf" 113 cat >>"${dir}/named.conf" <<EOF 114zone "$zone" { 115 type primary; 116 file "${zonefile}.signed"; 117 allow-update { any; }; 118}; 119 120EOF 121 fi 122done 123