mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
Adjust kasp system test to get keys which signed
If there is a keytag conflict between keys with different algorithms, we need to supply what key algorithm is used so we can get the right public key. For clarity, print the algorithm on the found keys after 'check_keys'.
This commit is contained in:
Matthijs Mekking
@@ -166,13 +166,19 @@ _rndccmd() {
|
||||
"$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@"
|
||||
}
|
||||
|
||||
# Print IDs of keys used for generating RRSIG records for RRsets of type $1
|
||||
# found in dig output file $2.
|
||||
# Print IDs of keys used for generating RRSIG records for RRsets of type $1,
|
||||
# matching algorithm number $2, found in dig output file $3.
|
||||
# If $2 is equal to 0, any algorithm matches.
|
||||
get_keys_which_signed() {
|
||||
_qtype=$1
|
||||
_output=$2
|
||||
_alg=$2
|
||||
_output=$3
|
||||
# The key ID is the 11th column of the RRSIG record line.
|
||||
awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$_output"
|
||||
if [ "$_alg" = "0" ]; then
|
||||
awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$_output"
|
||||
else
|
||||
awk -v alg="$_alg" -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt && $6 == alg {print $11}' <"$_output"
|
||||
fi
|
||||
}
|
||||
|
||||
# Get the key ids from key files for zone $2 in directory $1.
|
||||
@@ -838,19 +844,19 @@ check_keys() {
|
||||
|
||||
ret=0
|
||||
if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
|
||||
echo_i "KEY1 ID $(key_get KEY1 ID)"
|
||||
echo_i "KEY1 ID $(key_get KEY1 ID) ALG $(key_get KEY1 ALG_STR)"
|
||||
test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}"
|
||||
fi
|
||||
if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
|
||||
echo_i "KEY2 ID $(key_get KEY2 ID)"
|
||||
echo_i "KEY2 ID $(key_get KEY2 ID) ALG $(key_get KEY2 ALG_STR)"
|
||||
test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}"
|
||||
fi
|
||||
if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
|
||||
echo_i "KEY3 ID $(key_get KEY3 ID)"
|
||||
echo_i "KEY3 ID $(key_get KEY3 ID) ALG $(key_get KEY3 ALG_STR)"
|
||||
test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}"
|
||||
fi
|
||||
if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
|
||||
echo_i "KEY4 ID $(key_get KEY4 ID)"
|
||||
echo_i "KEY4 ID $(key_get KEY4 ID) ALG $(key_get KEY4 ALG_STR)"
|
||||
test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}"
|
||||
fi
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
@@ -936,34 +942,34 @@ _check_signatures() {
|
||||
fi
|
||||
|
||||
if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then
|
||||
get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null || return 1
|
||||
get_keys_which_signed "$_qtype" "$(key_get KEY1 ALG_NUM)" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null || return 1
|
||||
numsigs=$((numsigs + 1))
|
||||
elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
|
||||
get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null && return 1
|
||||
get_keys_which_signed "$_qtype" "$(key_get KEY1 ALG_NUM)" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null && return 1
|
||||
fi
|
||||
|
||||
if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then
|
||||
get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null || return 1
|
||||
get_keys_which_signed "$_qtype" "$(key_get KEY2 ALG_NUM)" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null || return 1
|
||||
numsigs=$((numsigs + 1))
|
||||
elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
|
||||
get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null && return 1
|
||||
get_keys_which_signed "$_qtype" "$(key_get KEY2 ALG_NUM)" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null && return 1
|
||||
fi
|
||||
|
||||
if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then
|
||||
get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null || return 1
|
||||
get_keys_which_signed "$_qtype" "$(key_get KEY3 ALG_NUM)" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null || return 1
|
||||
numsigs=$((numsigs + 1))
|
||||
elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
|
||||
get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null && return 1
|
||||
get_keys_which_signed "$_qtype" "$(key_get KEY3 ALG_NUM)" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null && return 1
|
||||
fi
|
||||
|
||||
if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then
|
||||
get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null || return 1
|
||||
get_keys_which_signed "$_qtype" "$(key_get KEY4 ALG_NUM)" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null || return 1
|
||||
numsigs=$((numsigs + 1))
|
||||
elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
|
||||
get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null && return 1
|
||||
get_keys_which_signed "$_qtype" "$(key_get KEY4 ALG_NUM)" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null && return 1
|
||||
fi
|
||||
|
||||
lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l)
|
||||
lines=$(get_keys_which_signed "${_qtype}" "0" "${_file}" | wc -l)
|
||||
test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)"
|
||||
test "$lines" -eq "$numsigs" || return 1
|
||||
|
||||
@@ -1202,7 +1208,7 @@ check_subdomain() {
|
||||
_dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype >"dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed"
|
||||
grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || _log_error "mismatch status in DNS response"
|
||||
grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" >/dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response"
|
||||
lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l)
|
||||
lines=$(get_keys_which_signed $_qtype 0 "dig.out.$DIR.test$n" | wc -l)
|
||||
check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
@@ -359,18 +359,18 @@ update_is_signed() {
|
||||
dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1
|
||||
grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1
|
||||
grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" >/dev/null || return 1
|
||||
lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l)
|
||||
lines=$(get_keys_which_signed A 0 "dig.out.$DIR.test$n.a" | wc -l)
|
||||
test "$lines" -eq 1 || return 1
|
||||
get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" >/dev/null || return 1
|
||||
get_keys_which_signed A 0 "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" >/dev/null || return 1
|
||||
fi
|
||||
|
||||
if [ "$ip_d" != "-" ]; then
|
||||
dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n".d || return 1
|
||||
grep "status: NOERROR" "dig.out.$DIR.test$n".d >/dev/null || return 1
|
||||
grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d >/dev/null || return 1
|
||||
lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l)
|
||||
lines=$(get_keys_which_signed A 0 "dig.out.$DIR.test$n".d | wc -l)
|
||||
test "$lines" -eq 1 || return 1
|
||||
get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" >/dev/null || return 1
|
||||
get_keys_which_signed A 0 "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" >/dev/null || return 1
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user