Add and use keyfile_to_key_id() helper function

When trying to extract the key ID from a key file name, some test code
incorrectly attempts to strip all leading zeros.  This breaks tests when
keys with ID 0 are generated.  Add a new helper shell function,
keyfile_to_key_id(), which properly handles keys with ID 0 and use it in
test code whenever a key ID needs to be extracted from a key file name.

bin/tests/system/autosign/tests.sh

@@ -283,7 +283,7 @@ sleep 3
 
 echo_i "checking that expired RRSIGs from missing key are not deleted ($n)"
 ret=0
-missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
+missing=$(keyfile_to_key_id "$(cat missingzsk.key)")
 $JOURNALPRINT ns3/nozsk.example.db.jnl | \
    awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
 n=`expr $n + 1`
@@ -292,7 +292,7 @@ status=`expr $status + $ret`
 
 echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)"
 ret=0
-inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
+inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)")
 $JOURNALPRINT ns3/inaczsk.example.db.jnl | \
    awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
 n=`expr $n + 1`
@@ -837,7 +837,7 @@ status=`expr $status + $ret`
 
 echo_i "checking for unpublished key ($n)"
 ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key`
+id=$(keyfile_to_key_id "$(cat unpub.key)")
 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -846,7 +846,7 @@ status=`expr $status + $ret`
 
 echo_i "checking for activated but unpublished key ($n)"
 ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key`
+id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)")
 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -855,7 +855,7 @@ status=`expr $status + $ret`
 
 echo_i "checking that standby key does not sign records ($n)"
 ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
+id=$(keyfile_to_key_id "$(cat standby.key)")
 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -864,7 +864,7 @@ status=`expr $status + $ret`
 
 echo_i "checking that deactivated key does not sign records  ($n)"
 ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key`
+id=$(keyfile_to_key_id "$(cat inact.key)")
 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -873,7 +873,7 @@ status=`expr $status + $ret`
 
 echo_i "checking insertion of public-only key ($n)"
 ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key`
+id=$(keyfile_to_key_id "$(cat nopriv.key)")
 file="ns1/`cat nopriv.key`.key"
 keydata=`grep DNSKEY $file`
 $NSUPDATE > /dev/null 2>&1 <<END	|| status=1
@@ -892,7 +892,7 @@ status=`expr $status + $ret`
 
 echo_i "checking key deletion ($n)"
 ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < del.key`
+id=$(keyfile_to_key_id "$(cat del.key)")
 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -973,9 +973,9 @@ rm -f $file
 echo_i "preparing ZSK roll"
 starttime=`$PERL -e 'print time(), "\n";'`
 oldfile=`cat active.key`
-oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key`
+oldid=$(keyfile_to_key_id "$(cat active.key)")
 newfile=`cat standby.key`
-newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
+newid=$(keyfile_to_key_id "$(cat standby.key)")
 $SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null
 $SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null
 
@@ -1137,7 +1137,7 @@ status=`expr $status + $ret`
 
 echo_i "checking private key file removal caused no immediate harm ($n)"
 ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key`
+id=$(keyfile_to_key_id "$(cat vanishing.key)")
 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
 n=`expr $n + 1`

bin/tests/system/cds/setup.sh

@@ -24,9 +24,9 @@ keyz=`$KEYGEN -q -a RSASHA256 $Z`
 key1=`$KEYGEN -q -a RSASHA256 -f KSK $Z`
 key2=`$KEYGEN -q -a RSASHA256 -f KSK $Z`
 
-idz=`echo $keyz | sed 's/.*+0*//'`
+idz=$(keyfile_to_key_id $keyz)
-id1=`echo $key1 | sed 's/.*+0*//'`
+id1=$(keyfile_to_key_id $key1)
-id2=`echo $key2 | sed 's/.*+0*//'`
+id2=$(keyfile_to_key_id $key2)
 
 cat <<EOF >vars.sh
 Z=$Z

bin/tests/system/conf.sh.common

@@ -240,6 +240,15 @@ keyfile_to_initial_keys() {
     keyfile_to_keys_section "dnssec-keys" "initial-key" $*
 }
 
+# keyfile_to_key_id: convert a key file name to a key ID
+#
+# For a given key file name (e.g. "Kexample.+013+06160") provided as $1,
+# print the key ID with leading zeros stripped ("6160" for the
+# aforementioned example).
+keyfile_to_key_id() {
+	echo "$1" | sed "s/.*+0\{0,4\}//"
+}
+
 # nextpart*() - functions for reading files incrementally
 #
 # These functions aim to facilitate looking for (or waiting for)

bin/tests/system/digdelv/ns2/sign.sh

@@ -20,5 +20,5 @@ cp example.db.in example.db
 
 cat "$keyname.key" >> example.db
 
-echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > keyid
+keyfile_to_key_id "$keyname" > keyid
 < "$keyname.key" grep -Ev '^;' | cut -f 7- -d ' ' > keydata

bin/tests/system/dnssec/ns1/sign.sh

@@ -54,4 +54,4 @@ cp managed.conf ../ns4/managed.conf
 #  Save keyid for managed key id test.
 #
 
-echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > managed.key.id
+keyfile_to_key_id "$keyname" > managed.key.id

bin/tests/system/dnssec/ns2/sign.sh

@@ -321,8 +321,8 @@ zonefile=${zone}.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 # Save key id's for checking active key usage
-echo "$key1" | sed -e 's/.*[+]//' -e 's/^0*//' > $zone.ksk.id
+keyfile_to_key_id "$key1" > $zone.ksk.id
-echo "$key2" | sed -e 's/.*[+]//' -e 's/^0*//' > $zone.zsk.id
+keyfile_to_key_id "$key2" > $zone.zsk.id
 echo "${key1}" > $zone.ksk.key
 echo "${key2}" > $zone.zsk.key
 # Add CDS and CDNSKEY records

bin/tests/system/dnssec/tests.sh

@@ -1563,9 +1563,9 @@ ret=0
 zone=example
 key1=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone)
 key2=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
-keyid2=$(echo "$key2" | sed 's/^Kexample.+005+0*\([0-9]\)/\1/')
+keyid2=$(keyfile_to_key_id "$key2")
 key3=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
-keyid3=$(echo "$key3" | sed 's/^Kexample.+005+0*\([0-9]\)/\1/')
+keyid3=$(keyfile_to_key_id "$key3")
 (
 cd signer || exit 1
 cat example.db.in "$key1.key" "$key2.key" > example.db
@@ -3951,7 +3951,7 @@ status=$((status+ret))
 
 # Roll the ZSK.
 zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
-echo "$zsk2" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id2
+keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2
 ZSK_ID2=`cat ns2/$zone.zsk.id2`
 
 echo_i "load new ZSK $ZSK_ID2 for $zone ($n)"
@@ -4023,7 +4023,7 @@ mv ns2/$KSK.private.bak ns2/$KSK.private
 
 # Roll the ZSK again.
 zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
-echo "$zsk3" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id3
+keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3
 ZSK_ID3=`cat ns2/$zone.zsk.id3`
 
 echo_i "load new ZSK $ZSK_ID3 for $zone ($n)"

bin/tests/system/metadata/tests.sh

@@ -20,14 +20,14 @@ n=1
 echo_i "setting key timers"
 $SETTIME -A now+15s `cat rolling.key` > /dev/null
 
-inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key`
+inact=$(keyfile_to_key_id "$(cat inact.key)")
-ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key`
+ksk=$(keyfile_to_key_id "$(cat ksk.key)")
-pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key`
+pending=$(keyfile_to_key_id "$(cat pending.key)")
-postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key`
+postrev=$(keyfile_to_key_id "$(cat postrev.key)")
-prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key`
+prerev=$(keyfile_to_key_id "$(cat prerev.key)")
-rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
+rolling=$(keyfile_to_key_id "$(cat rolling.key)")
-standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
+standby=$(keyfile_to_key_id "$(cat standby.key)")
-zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`
+zsk=$(keyfile_to_key_id "$(cat zsk.key)")
 
 echo_i "signing zones"
 $SIGNER -Sg -o $czone $cfile > /dev/null 2>&1

bin/tests/system/mkeys/ns1/sign.sh

@@ -38,6 +38,4 @@ cp unsupported.key "${unsupportedkey}.key"
 #
 echo "$keyname" > managed.key
 echo "$zskkeyname" > zone.key
-keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
+keyfile_to_key_id $keyname > managed.key.id
-keyid=`expr $keyid + 0`
-echo "$keyid" > managed.key.id

bin/tests/system/mkeys/tests.sh

@@ -492,7 +492,7 @@ n=`expr $n + 1`
 echo_i "revoke key with bad signature, check revocation is ignored ($n)"
 ret=0
 revoked=`$REVOKE -K ns1 $original`
-rkeyid=`expr $revoked : 'ns1/K\.+00.+0*\([1-9]*[0-9]*[0-9]\)'`
+rkeyid=$(keyfile_to_key_id $revoked)
 rm -f ns1/root.db.signed.jnl
 # We need to activate at least one valid DNSKEY to prevent dnssec-signzone from
 # failing.  Alternatively, we could use -P to disable post-sign verification,

bin/tests/system/smartsign/tests.sh

@@ -69,19 +69,19 @@ czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1`
 echo_i "signing parent zone"
 pzoneout=`$SIGNER -Sg -o $pzone $pfile 2>&1`
 
-czactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czactive=$(keyfile_to_key_id $czsk1)
-czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czgenerated=$(keyfile_to_key_id $czsk2)
-czpublished=`echo $czsk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czpublished=$(keyfile_to_key_id $czsk3)
-czinactive=`echo $czsk4 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czinactive=$(keyfile_to_key_id $czsk4)
-czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czpredecessor=$(keyfile_to_key_id $czsk5)
-czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czsuccessor=$(keyfile_to_key_id $czsk6)
-ckactive=`echo $cksk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+ckactive=$(keyfile_to_key_id $cksk1)
-ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+ckpublished=$(keyfile_to_key_id $cksk2)
-ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+ckprerevoke=$(keyfile_to_key_id $cksk3)
-ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)$/\1/'`
+ckrevoked=$(keyfile_to_key_id $cksk4)
 
-pzid=`echo $pzsk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+pzid=$(keyfile_to_key_id $pzsk)
-pkid=`echo $pksk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+pkid=$(keyfile_to_key_id $pksk)
 
 echo_i "checking dnssec-signzone output matches expectations"
 ret=0

bin/tests/system/statschannel/ns2/sign.sh

@@ -23,6 +23,6 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 # Sign deliberately with a very short expiration date.
 "$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
 
-echo "$ksk" | sed -e 's/.*[+]//' -e 's/^0*//' > dnssec.ksk.id
+keyfile_to_key_id "$ksk" > dnssec.ksk.id
-echo "$zsk" | sed -e 's/.*[+]//' -e 's/^0*//' > dnssec.zsk.id
+keyfile_to_key_id "$zsk" > dnssec.zsk.id
 

bin/tests/system/tkey/ns1/setup.sh

@@ -13,6 +13,6 @@ SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
 keyname=`$KEYGEN -T KEY -a DH -b 768 -n host server`
-keyid=`echo $keyname | $PERL -p -e 's/^.*\+0{0,4}//;'`
+keyid=$(keyfile_to_key_id $keyname)
 rm -f named.conf
 sed -e "s;KEYID;$keyid;" < named.conf.in > named.conf