1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0. If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14set -e
15
16# shellcheck source=conf.sh
17. ../conf.sh
18
19PWD=$(pwd)
20
21keygen() {
22  type="$1"
23  bits="$2"
24  zone="$3"
25  id="$4"
26
27  label="${id}-${zone}"
28  p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
29  pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id || return 1
30}
31
32keyfromlabel() {
33  alg="$1"
34  zone="$2"
35  id="$3"
36  shift 3
37
38  $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>>/dev/null || return 1
39  cat keyfromlabel.out.$zone.$id
40}
41
42infile="template.db.in"
43for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
44  ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
45  # ed25519:EC:edwards25519 ed448:EC:edwards448
46  alg=$(echo "$algtypebits" | cut -f 1 -d :)
47  type=$(echo "$algtypebits" | cut -f 2 -d :)
48  bits=$(echo "$algtypebits" | cut -f 3 -d :)
49
50  if $SHELL ../testcrypto.sh $alg; then
51    zone="$alg.example"
52    zonefile="zone.$alg.example.db"
53    ret=0
54
55    echo_i "Generate keys $alg $type:$bits for zone $zone"
56    keygen $type $bits $zone keyfromlabel-zsk || ret=1
57    keygen $type $bits $zone keyfromlabel-ksk || ret=1
58    test "$ret" -eq 0 || echo_i "failed"
59    status=$((status + ret))
60
61    # Skip dnssec-keyfromlabel if key generation failed.
62    test $ret -eq 0 || continue
63
64    echo_i "Get ZSK $alg $zone $type:$bits"
65    ret=0
66    zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk)
67    test -z "$zsk" && ret=1
68    test "$ret" -eq 0 || echo_i "failed (zsk=$zsk)"
69    status=$((status + ret))
70
71    echo_i "Get KSK $alg $zone $type:$bits"
72    ret=0
73    ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK)
74    test -z "$ksk" && ret=1
75    test "$ret" -eq 0 || echo_i "failed (ksk=$ksk)"
76    status=$((status + ret))
77
78    # Skip signing if dnssec-keyfromlabel failed.
79    test $ret -eq 0 || continue
80
81    echo_i "Sign zone with $ksk $zsk"
82    ret=0
83    cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
84    $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1
85    test "$ret" -eq 0 || echo_i "failed"
86    status=$((status + ret))
87  fi
88done
89
90echo_i "exit status: $status"
91[ $status -eq 0 ] || exit 1
92