1 1.1 christos #!/bin/sh 2 1.1 christos # 3 1.1 christos # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 1.1 christos # 5 1.1 christos # SPDX-License-Identifier: MPL-2.0 6 1.1 christos # 7 1.1 christos # This Source Code Form is subject to the terms of the Mozilla Public 8 1.1 christos # License, v. 2.0. If a copy of the MPL was not distributed with this 9 1.1 christos # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 1.1 christos # 11 1.1 christos # See the COPYRIGHT file distributed with this work for additional 12 1.1 christos # information regarding copyright ownership. 13 1.1 christos 14 1.1 christos # shellcheck source=conf.sh 15 1.1 christos . ../conf.sh 16 1.1 christos 17 1.1 christos set -e 18 1.1 christos 19 1.1.1.2 christos OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || true 20 1.1.1.2 christos OPENSSL_CONF= softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' 21 1.1 christos 22 1.1.1.2 christos printf '%s' "${HSMPIN:-1234}" >ns1/pin 23 1.1 christos PWD=$(pwd) 24 1.1 christos 25 1.1 christos keygen() { 26 1.1 christos type="$1" 27 1.1 christos bits="$2" 28 1.1 christos zone="$3" 29 1.1 christos id="$4" 30 1.1 christos 31 1.1 christos label="${id}-${zone}" 32 1.1 christos p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') 33 1.1.1.2 christos OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/ns1/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1 34 1.1 christos } 35 1.1 christos 36 1.1 christos keyfromlabel() { 37 1.1 christos alg="$1" 38 1.1 christos zone="$2" 39 1.1 christos id="$3" 40 1.1 christos dir="$4" 41 1.1 christos shift 4 42 1.1 christos 43 1.1.1.3 christos $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -y -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 44 1.1 christos cat keyfromlabel.out.$zone.$id 45 1.1 christos } 46 1.1 christos 47 1.1.1.2 christos mkdir ns1/keys 48 1.1.1.2 christos 49 1.1 christos dir="ns1" 50 1.1 christos infile="${dir}/template.db.in" 51 1.1 christos for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ 52 1.1 christos ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC 53 1.1 christos # ed25519:EC:edwards25519 ed448:EC:edwards448 54 1.1 christos alg=$(echo "$algtypebits" | cut -f 1 -d :) 55 1.1 christos type=$(echo "$algtypebits" | cut -f 2 -d :) 56 1.1 christos bits=$(echo "$algtypebits" | cut -f 3 -d :) 57 1.1.1.2 christos alg_upper=$(echo "$alg" | tr '[:lower:]' '[:upper:]') 58 1.1.1.2 christos supported=$(eval "echo \$${alg_upper}_SUPPORTED") 59 1.1 christos 60 1.1.1.2 christos tld="example" 61 1.1.1.2 christos if [ "${supported}" = 1 ]; then 62 1.1.1.2 christos zone="$alg.$tld" 63 1.1.1.2 christos zonefile="zone.$alg.$tld.db" 64 1.1 christos ret=0 65 1.1 christos 66 1.1 christos echo_i "Generate keys $alg $type:$bits for zone $zone" 67 1.1 christos keygen $type $bits $zone enginepkcs11-zsk || ret=1 68 1.1 christos keygen $type $bits $zone enginepkcs11-ksk || ret=1 69 1.1 christos test "$ret" -eq 0 || exit 1 70 1.1 christos 71 1.1 christos echo_i "Get ZSK $alg $zone $type:$bits" 72 1.1 christos zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) 73 1.1 christos test -z "$zsk1" && exit 1 74 1.1 christos 75 1.1 christos echo_i "Get KSK $alg $zone $type:$bits" 76 1.1 christos ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) 77 1.1 christos test -z "$ksk1" && exit 1 78 1.1 christos 79 1.1 christos ( 80 1.1 christos cd $dir 81 1.1 christos zskid1=$(keyfile_to_key_id $zsk1) 82 1.1 christos kskid1=$(keyfile_to_key_id $ksk1) 83 1.1 christos echo "$zskid1" >$zone.zskid1 84 1.1 christos echo "$kskid1" >$zone.kskid1 85 1.1 christos ) 86 1.1 christos 87 1.1 christos echo_i "Sign zone with $ksk1 $zsk1" 88 1.1 christos cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}" 89 1.1.1.2 christos $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 90 1.1 christos test "$ret" -eq 0 || exit 1 91 1.1 christos 92 1.1 christos echo_i "Generate successor keys $alg $type:$bits for zone $zone" 93 1.1 christos keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 94 1.1 christos keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 95 1.1 christos test "$ret" -eq 0 || exit 1 96 1.1 christos 97 1.1 christos echo_i "Get ZSK $alg $id-$zone $type:$bits" 98 1.1 christos zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) 99 1.1 christos test -z "$zsk2" && exit 1 100 1.1 christos 101 1.1 christos echo_i "Get KSK $alg $id-$zone $type:$bits" 102 1.1 christos ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) 103 1.1 christos test -z "$ksk2" && exit 1 104 1.1 christos 105 1.1 christos ( 106 1.1 christos cd $dir 107 1.1 christos zskid2=$(keyfile_to_key_id $zsk2) 108 1.1 christos kskid2=$(keyfile_to_key_id $ksk2) 109 1.1 christos echo "$zskid2" >$zone.zskid2 110 1.1 christos echo "$kskid2" >$zone.kskid2 111 1.1 christos cp "${zsk2}.key" "${zsk2}.zsk2" 112 1.1 christos cp "${ksk2}.key" "${ksk2}.ksk2" 113 1.1 christos ) 114 1.1 christos 115 1.1.1.2 christos echo_i "Add zone $alg.kasp to named.conf" 116 1.1.1.2 christos cp $infile ${dir}/zone.${alg}.kasp.db 117 1.1.1.2 christos 118 1.1.1.2 christos echo_i "Add zone $alg.split to named.conf" 119 1.1.1.2 christos cp $infile ${dir}/zone.${alg}.split.db 120 1.1.1.2 christos 121 1.1.1.2 christos echo_i "Add weird zone to named.conf" 122 1.1.1.2 christos cp $infile ${dir}/zone.${alg}.weird.db 123 1.1.1.2 christos 124 1.1 christos echo_i "Add zone $zone to named.conf" 125 1.1 christos cat >>"${dir}/named.conf" <<EOF 126 1.1 christos zone "$zone" { 127 1.1 christos type primary; 128 1.1 christos file "${zonefile}.signed"; 129 1.1 christos allow-update { any; }; 130 1.1 christos }; 131 1.1 christos 132 1.1.1.2 christos dnssec-policy "$alg" { 133 1.1.1.2 christos keys { 134 1.1.1.2 christos ksk key-store "hsm" lifetime unlimited algorithm ${alg}; 135 1.1.1.2 christos zsk key-store "pin" lifetime unlimited algorithm ${alg}; 136 1.1.1.2 christos }; 137 1.1.1.2 christos }; 138 1.1.1.2 christos 139 1.1.1.2 christos zone "${alg}.kasp" { 140 1.1.1.2 christos type primary; 141 1.1.1.2 christos file "zone.${alg}.kasp.db"; 142 1.1.1.2 christos dnssec-policy "$alg"; 143 1.1.1.2 christos allow-update { any; }; 144 1.1.1.2 christos }; 145 1.1.1.2 christos 146 1.1.1.2 christos dnssec-policy "weird-${alg}-\"\:\;\?\&\[\]\@\!\$\*\+\,\|\=\.\(\)" { 147 1.1.1.2 christos keys { 148 1.1.1.2 christos ksk key-store "hsm" lifetime unlimited algorithm ${alg}; 149 1.1.1.2 christos zsk key-store "pin" lifetime unlimited algorithm ${alg}; 150 1.1.1.2 christos }; 151 1.1.1.2 christos }; 152 1.1.1.2 christos 153 1.1.1.2 christos zone "${alg}.\"\:\;\?\&\[\]\@\!\$\*\+\,\|\=\.\(\)foo.weird" { 154 1.1.1.2 christos type primary; 155 1.1.1.2 christos file "zone.${alg}.weird.db"; 156 1.1.1.2 christos check-names ignore; 157 1.1.1.2 christos dnssec-policy "weird-${alg}-\"\:\;\?\&\[\]\@\!\$\*\+\,\|\=\.\(\)"; 158 1.1.1.2 christos allow-update { any; }; 159 1.1.1.2 christos }; 160 1.1.1.2 christos 161 1.1.1.2 christos dnssec-policy "${alg}-split" { 162 1.1.1.2 christos keys { 163 1.1.1.2 christos ksk key-store "hsm" lifetime unlimited algorithm ${alg}; 164 1.1.1.2 christos zsk key-store "disk" lifetime unlimited algorithm ${alg}; 165 1.1.1.2 christos }; 166 1.1.1.2 christos }; 167 1.1.1.2 christos 168 1.1.1.2 christos zone "${alg}.split" { 169 1.1.1.2 christos type primary; 170 1.1.1.2 christos file "zone.${alg}.split.db"; 171 1.1.1.2 christos dnssec-policy "${alg}-split"; 172 1.1.1.2 christos allow-update { any; }; 173 1.1.1.2 christos }; 174 1.1.1.2 christos 175 1.1 christos EOF 176 1.1 christos fi 177 1.1 christos done 178 1.1.1.2 christos 179 1.1.1.2 christos mkdir ns2/keys 180 1.1.1.2 christos 181 1.1.1.2 christos dir="ns2" 182 1.1.1.2 christos infile="${dir}/template.db.in" 183 1.1.1.2 christos algtypebits="ecdsap256sha256:EC:prime256v1" 184 1.1.1.2 christos alg=$(echo "$algtypebits" | cut -f 1 -d :) 185 1.1.1.2 christos type=$(echo "$algtypebits" | cut -f 2 -d :) 186 1.1.1.2 christos bits=$(echo "$algtypebits" | cut -f 3 -d :) 187 1.1.1.2 christos alg_upper=$(echo "$alg" | tr '[:lower:]' '[:upper:]') 188 1.1.1.2 christos supported=$(eval "echo \$${alg_upper}_SUPPORTED") 189 1.1.1.2 christos tld="views" 190 1.1.1.2 christos 191 1.1.1.2 christos if [ "${supported}" = 1 ]; then 192 1.1.1.2 christos zone="$alg.$tld" 193 1.1.1.2 christos zonefile1="zone.$alg.$tld.view1.db" 194 1.1.1.2 christos zonefile2="zone.$alg.$tld.view2.db" 195 1.1.1.2 christos ret=0 196 1.1.1.2 christos 197 1.1.1.2 christos echo_i "Generate keys $alg $type:$bits for zone $zone" 198 1.1.1.2 christos keygen $type $bits $zone enginepkcs11-zsk || ret=1 199 1.1.1.2 christos keygen $type $bits $zone enginepkcs11-ksk || ret=1 200 1.1.1.2 christos test "$ret" -eq 0 || exit 1 201 1.1.1.2 christos 202 1.1.1.2 christos echo_i "Get ZSK $alg $zone $type:$bits" 203 1.1.1.2 christos zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) 204 1.1.1.2 christos test -z "$zsk1" && exit 1 205 1.1.1.2 christos 206 1.1.1.2 christos echo_i "Get KSK $alg $zone $type:$bits" 207 1.1.1.2 christos ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) 208 1.1.1.2 christos test -z "$ksk1" && exit 1 209 1.1.1.2 christos 210 1.1.1.2 christos ( 211 1.1.1.2 christos cd $dir 212 1.1.1.2 christos zskid1=$(keyfile_to_key_id $zsk1) 213 1.1.1.2 christos kskid1=$(keyfile_to_key_id $ksk1) 214 1.1.1.2 christos echo "$zskid1" >$zone.zskid1 215 1.1.1.2 christos echo "$kskid1" >$zone.kskid1 216 1.1.1.2 christos ) 217 1.1.1.2 christos 218 1.1.1.2 christos echo_i "Sign zone with $ksk1 $zsk1" 219 1.1.1.2 christos cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile1}" 220 1.1.1.2 christos $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1 221 1.1.1.2 christos test "$ret" -eq 0 || exit 1 222 1.1.1.2 christos 223 1.1.1.2 christos cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile2}" 224 1.1.1.2 christos $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1 225 1.1.1.2 christos test "$ret" -eq 0 || exit 1 226 1.1.1.2 christos 227 1.1.1.2 christos echo_i "Generate successor keys $alg $type:$bits for zone $zone" 228 1.1.1.2 christos keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 229 1.1.1.2 christos keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 230 1.1.1.2 christos test "$ret" -eq 0 || exit 1 231 1.1.1.2 christos 232 1.1.1.2 christos echo_i "Get ZSK $alg $id-$zone $type:$bits" 233 1.1.1.2 christos zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) 234 1.1.1.2 christos test -z "$zsk2" && exit 1 235 1.1.1.2 christos 236 1.1.1.2 christos echo_i "Get KSK $alg $id-$zone $type:$bits" 237 1.1.1.2 christos ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) 238 1.1.1.2 christos test -z "$ksk2" && exit 1 239 1.1.1.2 christos 240 1.1.1.2 christos ( 241 1.1.1.2 christos cd $dir 242 1.1.1.2 christos zskid2=$(keyfile_to_key_id $zsk2) 243 1.1.1.2 christos kskid2=$(keyfile_to_key_id $ksk2) 244 1.1.1.2 christos echo "$zskid2" >$zone.zskid2 245 1.1.1.2 christos echo "$kskid2" >$zone.kskid2 246 1.1.1.2 christos cp "${zsk2}.key" "${zsk2}.zsk2" 247 1.1.1.2 christos cp "${ksk2}.key" "${ksk2}.ksk2" 248 1.1.1.2 christos ) 249 1.1.1.2 christos 250 1.1.1.2 christos echo_i "Add zone $alg.same-policy.$tld to named.conf" 251 1.1.1.2 christos cp $infile ${dir}/zone.${alg}.same-policy.view1.db 252 1.1.1.2 christos cp $infile ${dir}/zone.${alg}.same-policy.view2.db 253 1.1.1.2 christos 254 1.1.1.2 christos echo_i "Add zone zone-with.different-policy.$tld to named.conf" 255 1.1.1.2 christos cp $infile ${dir}/zone.zone-with.different-policy.view1.db 256 1.1.1.2 christos cp $infile ${dir}/zone.zone-with.different-policy.view2.db 257 1.1.1.2 christos 258 1.1.1.2 christos echo_i "Add zone $zone to named.conf" 259 1.1.1.2 christos cat >>"${dir}/named.conf" <<EOF 260 1.1.1.2 christos dnssec-policy "$alg" { 261 1.1.1.2 christos keys { 262 1.1.1.2 christos csk key-store "hsm" lifetime unlimited algorithm ${alg}; 263 1.1.1.2 christos }; 264 1.1.1.2 christos }; 265 1.1.1.2 christos 266 1.1.1.2 christos dnssec-policy "rsasha256" { 267 1.1.1.2 christos keys { 268 1.1.1.2 christos csk key-store "hsm2" lifetime unlimited algorithm rsasha256 2048; 269 1.1.1.2 christos }; 270 1.1.1.2 christos }; 271 1.1.1.2 christos 272 1.1.1.2 christos view "view1" { 273 1.1.1.2 christos match-clients { key "keyforview1"; }; 274 1.1.1.2 christos 275 1.1.1.2 christos zone "$zone" { 276 1.1.1.2 christos type primary; 277 1.1.1.2 christos file "${zonefile1}.signed"; 278 1.1.1.2 christos allow-update { any; }; 279 1.1.1.2 christos }; 280 1.1.1.2 christos 281 1.1.1.2 christos zone "${alg}.same-policy.${tld}" { 282 1.1.1.2 christos type primary; 283 1.1.1.2 christos file "zone.${alg}.same-policy.view1.db"; 284 1.1.1.2 christos dnssec-policy "$alg"; 285 1.1.1.2 christos allow-update { any; }; 286 1.1.1.2 christos }; 287 1.1.1.2 christos 288 1.1.1.2 christos zone "zone-with.different-policy.${tld}" { 289 1.1.1.2 christos type primary; 290 1.1.1.2 christos file "zone.zone-with.different-policy.view1.db"; 291 1.1.1.2 christos dnssec-policy "$alg"; 292 1.1.1.2 christos allow-update { any; }; 293 1.1.1.2 christos }; 294 1.1.1.2 christos }; 295 1.1.1.2 christos 296 1.1.1.2 christos view "view2" { 297 1.1.1.2 christos match-clients { key "keyforview2"; }; 298 1.1.1.2 christos 299 1.1.1.2 christos zone "$zone" { 300 1.1.1.2 christos type primary; 301 1.1.1.2 christos file "${zonefile2}.signed"; 302 1.1.1.2 christos allow-update { any; }; 303 1.1.1.2 christos }; 304 1.1.1.2 christos 305 1.1.1.2 christos zone "${alg}.same-policy.${tld}" { 306 1.1.1.2 christos type primary; 307 1.1.1.2 christos file "zone.${alg}.same-policy.view2.db"; 308 1.1.1.2 christos dnssec-policy "$alg"; 309 1.1.1.2 christos allow-update { any; }; 310 1.1.1.2 christos }; 311 1.1.1.2 christos 312 1.1.1.2 christos zone "zone-with.different-policy.${tld}" { 313 1.1.1.2 christos type primary; 314 1.1.1.2 christos file "zone.zone-with.different-policy.view2.db"; 315 1.1.1.2 christos dnssec-policy "rsasha256"; 316 1.1.1.2 christos allow-update { any; }; 317 1.1.1.2 christos }; 318 1.1.1.2 christos }; 319 1.1.1.2 christos 320 1.1.1.2 christos EOF 321 1.1.1.2 christos fi 322
Indexes created Wed Mar 04 15:26:31 UTC 2026