Test dnssec-policy with multiple key stores

Make sure that if a dnssec-policy uses multiple key stores, the keys
have the right attributes and are stored in their appropriate directory.

bin/tests/system/enginepkcs11/clean.sh

@@ -23,6 +23,7 @@ rm -f pkcs11-tool.err.* pkcs11-tool.out.*
 rm -f signer.out.*
 rm -f ns1/*.example.db ns1/*.example.db.signed
 rm -f ns1/*.kasp.db ns1/*.kasp.db.signed
+rm -f ns1/*.split.db ns1/*.split.db.signed
 rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2
 rm -f ns1/dig.out.*
 rm -f ns1/K*
@@ -33,5 +34,6 @@ rm -f ns1/update.cmd.*
 rm -f ns1/update.log.*
 rm -f ns1/verify.out.*
 rm -f ns1/zone.*.jnl ns1/zone.*.jbk
+rm -rf ./ns1/keys/
 
 OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || echo_i "softhsm2-enginepkcs11 token not found for cleaning"

bin/tests/system/enginepkcs11/setup.sh

@@ -25,6 +25,8 @@ PWD=$(pwd)
 copy_setports ns1/named.conf.in ns1/named.conf
 sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns1/named.args.in >ns1/named.args
 
+mkdir ns1/keys
+
 keygen() {
   type="$1"
   bits="$2"
@@ -115,6 +117,9 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
     echo_i "Add zone $alg.kasp to named.conf"
     cp $infile ${dir}/zone.${alg}.kasp.db
 
+    echo_i "Add zone $alg.split to named.conf"
+    cp $infile ${dir}/zone.${alg}.split.db
+
     echo_i "Add zone $zone to named.conf"
     cat >>"${dir}/named.conf" <<EOF
 zone "$zone" {
@@ -137,6 +142,20 @@ zone "${alg}.kasp" {
 	allow-update { any; };
 };
 
+dnssec-policy "${alg}-split" {
+	keys {
+		ksk key-store "hsm" lifetime unlimited algorithm ${alg};
+		zsk key-store "disk" lifetime unlimited algorithm ${alg};
+	};
+};
+
+zone "${alg}.split" {
+	type primary;
+	file "zone.${alg}.split.db";
+	dnssec-policy "${alg}-split";
+	allow-update { any; };
+};
+
 EOF
   fi
 done

bin/tests/system/enginepkcs11/tests.sh

@@ -176,11 +176,12 @@ EOF
   status=$((status + ret))
 
   # Check dnssec-policy interaction.
-  zone="${alg}.kasp"
 
   # Basic checks if setup was successful (dnssec-policy).
+  zone="${alg}.kasp"
   n=$((n + 1))
   ret=0
+  ret=0
   echo_i "Test key generation was successful for $zone ($n)"
   check_keys $zone 2 || ret=1
   status=$((status + ret))
@@ -209,11 +210,27 @@ EOF
   }
   retry_quiet 2 _dig_policy_soa || ret=1
   test "$ret" -eq 0 || echo_i "failed (expected a SOA RRSIG record)"
+
+  # Check a dnssec-policy that uses multiple key-stores.
+  zone="${alg}.split"
+  echo_i "Test key generation was successful for $zone ($n)"
+  # Check KSK.
+  check_keys $zone 1 || ret=1
+  # Check ZSK.
+  count=$(ls keys/K*.key | grep "K${_zone}" | wc -l)
+  test "$count" -eq 1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (expected 1 key, got $count)"
+  status=$((status + ret))
+  ret=0
+  count=$(cat keys/K${zone}*.private | grep Engine | wc -l)
+  test "$count" -eq 0 || ret=1
+  count=$(cat keys/K${zone}*.private | grep Label | wc -l)
+  test "$count" -eq 0 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (unexpected Engine and Label in key files)"
   status=$((status + ret))
 
   # Check dnssec-keygen with dnssec-policy and key-store.
   zone="${alg}.keygen"
-
   n=$((n + 1))
   ret=0
   echo_i "Test dnssec-keygen for $zone ($n)"