From ba6ee5af50c831bc2d45ea0516f4e6dca75dc0c1 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 20 Jul 2022 15:42:30 +1000
Subject: [PATCH] dnssec: check if RSASHA1 is supported by the OS

If not skip RSASHA1 based system tests which are supposed to succeed
even in FIPS mode.
---
 bin/tests/system/dnssec/tests.sh | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 4a04e98a7d..479e40452b 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1103,10 +1103,15 @@ status=$((status+ret))
 # Should work with FIPS mode as we are only validating
 echo_i "checking positive validation RSASHA1 NSEC ($n)"
 ret=0
-dig_with_opts +noauth a.rsasha1.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-dig_with_opts +noauth a.rsasha1.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
-digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+if $FEATURETEST --rsasha1
+then
+    dig_with_opts +noauth a.rsasha1.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+    dig_with_opts +noauth a.rsasha1.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+    digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+    grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+else
+    echo_i "skip: RSASHA1 not supported by OS"
+fi
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
@@ -1114,10 +1119,15 @@ status=$((status+ret))
 # Should work with FIPS mode as we are only validating
 echo_i "checking positive validation RSASHA1 (1024 bits) NSEC ($n)"
 ret=0
-dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
-digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+if $FEATURETEST --rsasha1
+then
+    dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+    dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+    digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+    grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+else
+    echo_i "skip: RSASHA1 not supported by OS"
+fi
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))