1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16# shellcheck source=conf.sh 17. ../conf.sh 18 19PWD=$(pwd) 20 21keygen() { 22 type="$1" 23 bits="$2" 24 zone="$3" 25 id="$4" 26 27 label="${id}-${zone}" 28 p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') 29 pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id || return 1 30} 31 32keyfromlabel() { 33 alg="$1" 34 zone="$2" 35 id="$3" 36 shift 3 37 38 $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>>/dev/null || return 1 39 cat keyfromlabel.out.$zone.$id 40} 41 42infile="template.db.in" 43for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ 44 ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC 45 # ed25519:EC:edwards25519 ed448:EC:edwards448 46 alg=$(echo "$algtypebits" | cut -f 1 -d :) 47 type=$(echo "$algtypebits" | cut -f 2 -d :) 48 bits=$(echo "$algtypebits" | cut -f 3 -d :) 49 50 if $SHELL ../testcrypto.sh $alg; then 51 zone="$alg.example" 52 zonefile="zone.$alg.example.db" 53 ret=0 54 55 echo_i "Generate keys $alg $type:$bits for zone $zone" 56 keygen $type $bits $zone keyfromlabel-zsk || ret=1 57 keygen $type $bits $zone keyfromlabel-ksk || ret=1 58 test "$ret" -eq 0 || echo_i "failed" 59 status=$((status + ret)) 60 61 # Skip dnssec-keyfromlabel if key generation failed. 62 test $ret -eq 0 || continue 63 64 echo_i "Get ZSK $alg $zone $type:$bits" 65 ret=0 66 zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk) 67 test -z "$zsk" && ret=1 68 test "$ret" -eq 0 || echo_i "failed (zsk=$zsk)" 69 status=$((status + ret)) 70 71 echo_i "Get KSK $alg $zone $type:$bits" 72 ret=0 73 ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK) 74 test -z "$ksk" && ret=1 75 test "$ret" -eq 0 || echo_i "failed (ksk=$ksk)" 76 status=$((status + ret)) 77 78 # Skip signing if dnssec-keyfromlabel failed. 79 test $ret -eq 0 || continue 80 81 echo_i "Sign zone with $ksk $zsk" 82 ret=0 83 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" 84 $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1 85 test "$ret" -eq 0 || echo_i "failed" 86 status=$((status + ret)) 87 fi 88done 89 90echo_i "exit status: $status" 91[ $status -eq 0 ] || exit 1 92