From 7d6eaad1bdadf5595ade06430faadb8361bb731a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 28 Jun 2019 13:11:26 +0200 Subject: [PATCH] Add and use keyfile_to_key_id() helper function When trying to extract the key ID from a key file name, some test code incorrectly attempts to strip all leading zeros. This breaks tests when keys with ID 0 are generated. Add a new helper shell function, keyfile_to_key_id(), which properly handles keys with ID 0 and use it in test code whenever a key ID needs to be extracted from a key file name. --- bin/tests/system/autosign/tests.sh | 22 ++++++++++----------- bin/tests/system/cds/setup.sh | 6 +++--- bin/tests/system/conf.sh.common | 9 +++++++++ bin/tests/system/digdelv/ns2/sign.sh | 2 +- bin/tests/system/dnssec/ns1/sign.sh | 2 +- bin/tests/system/dnssec/ns2/sign.sh | 4 ++-- bin/tests/system/dnssec/tests.sh | 8 ++++---- bin/tests/system/metadata/tests.sh | 16 +++++++-------- bin/tests/system/mkeys/ns1/sign.sh | 4 +--- bin/tests/system/mkeys/tests.sh | 2 +- bin/tests/system/smartsign/tests.sh | 24 +++++++++++------------ bin/tests/system/statschannel/ns2/sign.sh | 4 ++-- bin/tests/system/tkey/ns1/setup.sh | 2 +- 13 files changed, 56 insertions(+), 49 deletions(-) diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 9eedf95e4e..50ea0bf2fa 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -283,7 +283,7 @@ sleep 3 echo_i "checking that expired RRSIGs from missing key are not deleted ($n)" ret=0 -missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key` +missing=$(keyfile_to_key_id "$(cat missingzsk.key)") $JOURNALPRINT ns3/nozsk.example.db.jnl | \ awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1 n=`expr $n + 1` @@ -292,7 +292,7 @@ status=`expr $status + $ret` echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)" ret=0 -inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key` +inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)") $JOURNALPRINT ns3/inaczsk.example.db.jnl | \ awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1 n=`expr $n + 1` @@ -837,7 +837,7 @@ status=`expr $status + $ret` echo_i "checking for unpublished key ($n)" ret=0 -id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key` +id=$(keyfile_to_key_id "$(cat unpub.key)") $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -846,7 +846,7 @@ status=`expr $status + $ret` echo_i "checking for activated but unpublished key ($n)" ret=0 -id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key` +id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)") $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -855,7 +855,7 @@ status=`expr $status + $ret` echo_i "checking that standby key does not sign records ($n)" ret=0 -id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key` +id=$(keyfile_to_key_id "$(cat standby.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -864,7 +864,7 @@ status=`expr $status + $ret` echo_i "checking that deactivated key does not sign records ($n)" ret=0 -id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key` +id=$(keyfile_to_key_id "$(cat inact.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -873,7 +873,7 @@ status=`expr $status + $ret` echo_i "checking insertion of public-only key ($n)" ret=0 -id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key` +id=$(keyfile_to_key_id "$(cat nopriv.key)") file="ns1/`cat nopriv.key`.key" keydata=`grep DNSKEY $file` $NSUPDATE > /dev/null 2>&1 < dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -973,9 +973,9 @@ rm -f $file echo_i "preparing ZSK roll" starttime=`$PERL -e 'print time(), "\n";'` oldfile=`cat active.key` -oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key` +oldid=$(keyfile_to_key_id "$(cat active.key)") newfile=`cat standby.key` -newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key` +newid=$(keyfile_to_key_id "$(cat standby.key)") $SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null $SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null @@ -1137,7 +1137,7 @@ status=`expr $status + $ret` echo_i "checking private key file removal caused no immediate harm ($n)" ret=0 -id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key` +id=$(keyfile_to_key_id "$(cat vanishing.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 n=`expr $n + 1` diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh index 92bd9c94d4..101af11ef2 100644 --- a/bin/tests/system/cds/setup.sh +++ b/bin/tests/system/cds/setup.sh @@ -24,9 +24,9 @@ keyz=`$KEYGEN -q -a RSASHA256 $Z` key1=`$KEYGEN -q -a RSASHA256 -f KSK $Z` key2=`$KEYGEN -q -a RSASHA256 -f KSK $Z` -idz=`echo $keyz | sed 's/.*+0*//'` -id1=`echo $key1 | sed 's/.*+0*//'` -id2=`echo $key2 | sed 's/.*+0*//'` +idz=$(keyfile_to_key_id $keyz) +id1=$(keyfile_to_key_id $key1) +id2=$(keyfile_to_key_id $key2) cat <vars.sh Z=$Z diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index b12ec4b879..074b53f977 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -240,6 +240,15 @@ keyfile_to_initial_keys() { keyfile_to_keys_section "dnssec-keys" "initial-key" $* } +# keyfile_to_key_id: convert a key file name to a key ID +# +# For a given key file name (e.g. "Kexample.+013+06160") provided as $1, +# print the key ID with leading zeros stripped ("6160" for the +# aforementioned example). +keyfile_to_key_id() { + echo "$1" | sed "s/.*+0\{0,4\}//" +} + # nextpart*() - functions for reading files incrementally # # These functions aim to facilitate looking for (or waiting for) diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh index e54f5019bc..05f9232083 100644 --- a/bin/tests/system/digdelv/ns2/sign.sh +++ b/bin/tests/system/digdelv/ns2/sign.sh @@ -20,5 +20,5 @@ cp example.db.in example.db cat "$keyname.key" >> example.db -echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > keyid +keyfile_to_key_id "$keyname" > keyid < "$keyname.key" grep -Ev '^;' | cut -f 7- -d ' ' > keydata diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 5c223ba814..631411a9f2 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -54,4 +54,4 @@ cp managed.conf ../ns4/managed.conf # Save keyid for managed key id test. # -echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > managed.key.id +keyfile_to_key_id "$keyname" > managed.key.id diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 0a9af5fc9a..c90f620e86 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -321,8 +321,8 @@ zonefile=${zone}.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") # Save key id's for checking active key usage -echo "$key1" | sed -e 's/.*[+]//' -e 's/^0*//' > $zone.ksk.id -echo "$key2" | sed -e 's/.*[+]//' -e 's/^0*//' > $zone.zsk.id +keyfile_to_key_id "$key1" > $zone.ksk.id +keyfile_to_key_id "$key2" > $zone.zsk.id echo "${key1}" > $zone.ksk.key echo "${key2}" > $zone.zsk.key # Add CDS and CDNSKEY records diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index c1a0c40c70..67456b74db 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1563,9 +1563,9 @@ ret=0 zone=example key1=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone) key2=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone) -keyid2=$(echo "$key2" | sed 's/^Kexample.+005+0*\([0-9]\)/\1/') +keyid2=$(keyfile_to_key_id "$key2") key3=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone) -keyid3=$(echo "$key3" | sed 's/^Kexample.+005+0*\([0-9]\)/\1/') +keyid3=$(keyfile_to_key_id "$key3") ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db @@ -3951,7 +3951,7 @@ status=$((status+ret)) # Roll the ZSK. zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -echo "$zsk2" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id2 +keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 ZSK_ID2=`cat ns2/$zone.zsk.id2` echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" @@ -4023,7 +4023,7 @@ mv ns2/$KSK.private.bak ns2/$KSK.private # Roll the ZSK again. zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -echo "$zsk3" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id3 +keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3 ZSK_ID3=`cat ns2/$zone.zsk.id3` echo_i "load new ZSK $ZSK_ID3 for $zone ($n)" diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index a358adfd7b..c076ec5447 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -20,14 +20,14 @@ n=1 echo_i "setting key timers" $SETTIME -A now+15s `cat rolling.key` > /dev/null -inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key` -ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key` -pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key` -postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key` -prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key` -rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key` -standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key` -zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key` +inact=$(keyfile_to_key_id "$(cat inact.key)") +ksk=$(keyfile_to_key_id "$(cat ksk.key)") +pending=$(keyfile_to_key_id "$(cat pending.key)") +postrev=$(keyfile_to_key_id "$(cat postrev.key)") +prerev=$(keyfile_to_key_id "$(cat prerev.key)") +rolling=$(keyfile_to_key_id "$(cat rolling.key)") +standby=$(keyfile_to_key_id "$(cat standby.key)") +zsk=$(keyfile_to_key_id "$(cat zsk.key)") echo_i "signing zones" $SIGNER -Sg -o $czone $cfile > /dev/null 2>&1 diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 0e631c3208..135080a467 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -38,6 +38,4 @@ cp unsupported.key "${unsupportedkey}.key" # echo "$keyname" > managed.key echo "$zskkeyname" > zone.key -keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'` -keyid=`expr $keyid + 0` -echo "$keyid" > managed.key.id +keyfile_to_key_id $keyname > managed.key.id diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index 07bcee298d..80c19beb03 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -492,7 +492,7 @@ n=`expr $n + 1` echo_i "revoke key with bad signature, check revocation is ignored ($n)" ret=0 revoked=`$REVOKE -K ns1 $original` -rkeyid=`expr $revoked : 'ns1/K\.+00.+0*\([1-9]*[0-9]*[0-9]\)'` +rkeyid=$(keyfile_to_key_id $revoked) rm -f ns1/root.db.signed.jnl # We need to activate at least one valid DNSKEY to prevent dnssec-signzone from # failing. Alternatively, we could use -P to disable post-sign verification, diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index 8182ce87c8..e1a85d877a 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -69,19 +69,19 @@ czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1` echo_i "signing parent zone" pzoneout=`$SIGNER -Sg -o $pzone $pfile 2>&1` -czactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -czpublished=`echo $czsk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -czinactive=`echo $czsk4 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -ckactive=`echo $cksk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)$/\1/'` +czactive=$(keyfile_to_key_id $czsk1) +czgenerated=$(keyfile_to_key_id $czsk2) +czpublished=$(keyfile_to_key_id $czsk3) +czinactive=$(keyfile_to_key_id $czsk4) +czpredecessor=$(keyfile_to_key_id $czsk5) +czsuccessor=$(keyfile_to_key_id $czsk6) +ckactive=$(keyfile_to_key_id $cksk1) +ckpublished=$(keyfile_to_key_id $cksk2) +ckprerevoke=$(keyfile_to_key_id $cksk3) +ckrevoked=$(keyfile_to_key_id $cksk4) -pzid=`echo $pzsk | sed 's/^K.*+005+0*\([0-9]\)/\1/'` -pkid=`echo $pksk | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +pzid=$(keyfile_to_key_id $pzsk) +pkid=$(keyfile_to_key_id $pksk) echo_i "checking dnssec-signzone output matches expectations" ret=0 diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh index 6c275989aa..3a90654d75 100644 --- a/bin/tests/system/statschannel/ns2/sign.sh +++ b/bin/tests/system/statschannel/ns2/sign.sh @@ -23,6 +23,6 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # Sign deliberately with a very short expiration date. "$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1 -echo "$ksk" | sed -e 's/.*[+]//' -e 's/^0*//' > dnssec.ksk.id -echo "$zsk" | sed -e 's/.*[+]//' -e 's/^0*//' > dnssec.zsk.id +keyfile_to_key_id "$ksk" > dnssec.ksk.id +keyfile_to_key_id "$zsk" > dnssec.zsk.id diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh index 36ed3344ae..a5343396b9 100644 --- a/bin/tests/system/tkey/ns1/setup.sh +++ b/bin/tests/system/tkey/ns1/setup.sh @@ -13,6 +13,6 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh keyname=`$KEYGEN -T KEY -a DH -b 768 -n host server` -keyid=`echo $keyname | $PERL -p -e 's/^.*\+0{0,4}//;'` +keyid=$(keyfile_to_key_id $keyname) rm -f named.conf sed -e "s;KEYID;$keyid;" < named.conf.in > named.conf