From d360d8af8fd8baf9bf5d313567ed21042f9d420f Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 16 May 2023 10:15:00 +1000
Subject: [PATCH] Let RSASHA1 signing keys be ignored in FIPS mode

When the FIPS provider is available, RSASHA1 signing keys for zone
"example.com." are ignored if the zone is attempted to be signed with
the dnssec-signzone "-F" (FIPS mode) option:

    "fatal: No signing keys specified or found"
---
 bin/tests/system/dnssec/tests.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 224de5e0f3..8f5f68a019 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1456,7 +1456,8 @@ else
 	cd signer/general || exit 1
 	rm -f signed.zone
 	$SIGNER -F -f signed.zone -o example.com. test11.zone > signer.out.$n 2>&1 && exit 1
-	grep "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null
+	grep -F -e "fatal: No signing keys specified or found" \
+	        -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null
     ) || ret=1
 fi
 n=$((n+1))
@@ -3588,7 +3589,7 @@ then
     echo_i "skipped: RSASHA1 is not supported"
 else
     $KEYGEN -F -a rsasha1 example.fips 2> keygen.err$n || true
-    grep "unsupported algorithm: RSASHA1" "keygen.err$n" > /dev/null || ret=1
+    grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" > /dev/null || ret=1
 fi
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
@@ -3607,7 +3608,7 @@ then
     echo_i "skipped: RSASHA1 is not supported"
 else
     $KEYGEN -F -a nsec3rsasha1 example.fips 2> keygen.err$n || true
-    grep "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" > /dev/null || ret=1
+    grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" > /dev/null || ret=1
 fi
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"