Commit 7d6eaad1 authored by Michał Kępień's avatar Michał Kępień

Add and use keyfile_to_key_id() helper function

When trying to extract the key ID from a key file name, some test code
incorrectly attempts to strip all leading zeros.  This breaks tests when
keys with ID 0 are generated.  Add a new helper shell function,
keyfile_to_key_id(), which properly handles keys with ID 0 and use it in
test code whenever a key ID needs to be extracted from a key file name.
parent f895e4aa
Pipeline #16602 passed with stages
in 19 minutes and 27 seconds
......@@ -283,7 +283,7 @@ sleep 3
echo_i "checking that expired RRSIGs from missing key are not deleted ($n)"
ret=0
missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
missing=$(keyfile_to_key_id "$(cat missingzsk.key)")
$JOURNALPRINT ns3/nozsk.example.db.jnl | \
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
n=`expr $n + 1`
......@@ -292,7 +292,7 @@ status=`expr $status + $ret`
echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)"
ret=0
inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)")
$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
n=`expr $n + 1`
......@@ -837,7 +837,7 @@ status=`expr $status + $ret`
echo_i "checking for unpublished key ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key`
id=$(keyfile_to_key_id "$(cat unpub.key)")
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
......@@ -846,7 +846,7 @@ status=`expr $status + $ret`
echo_i "checking for activated but unpublished key ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key`
id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)")
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
......@@ -855,7 +855,7 @@ status=`expr $status + $ret`
echo_i "checking that standby key does not sign records ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
id=$(keyfile_to_key_id "$(cat standby.key)")
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
......@@ -864,7 +864,7 @@ status=`expr $status + $ret`
echo_i "checking that deactivated key does not sign records ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key`
id=$(keyfile_to_key_id "$(cat inact.key)")
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
......@@ -873,7 +873,7 @@ status=`expr $status + $ret`
echo_i "checking insertion of public-only key ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key`
id=$(keyfile_to_key_id "$(cat nopriv.key)")
file="ns1/`cat nopriv.key`.key"
keydata=`grep DNSKEY $file`
$NSUPDATE > /dev/null 2>&1 <<END || status=1
......@@ -892,7 +892,7 @@ status=`expr $status + $ret`
echo_i "checking key deletion ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < del.key`
id=$(keyfile_to_key_id "$(cat del.key)")
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
......@@ -973,9 +973,9 @@ rm -f $file
echo_i "preparing ZSK roll"
starttime=`$PERL -e 'print time(), "\n";'`
oldfile=`cat active.key`
oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key`
oldid=$(keyfile_to_key_id "$(cat active.key)")
newfile=`cat standby.key`
newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
newid=$(keyfile_to_key_id "$(cat standby.key)")
$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null
$SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null
......@@ -1137,7 +1137,7 @@ status=`expr $status + $ret`
echo_i "checking private key file removal caused no immediate harm ($n)"
ret=0
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key`
id=$(keyfile_to_key_id "$(cat vanishing.key)")
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
......
......@@ -24,9 +24,9 @@ keyz=`$KEYGEN -q -a RSASHA256 $Z`
key1=`$KEYGEN -q -a RSASHA256 -f KSK $Z`
key2=`$KEYGEN -q -a RSASHA256 -f KSK $Z`
idz=`echo $keyz | sed 's/.*+0*//'`
id1=`echo $key1 | sed 's/.*+0*//'`
id2=`echo $key2 | sed 's/.*+0*//'`
idz=$(keyfile_to_key_id $keyz)
id1=$(keyfile_to_key_id $key1)
id2=$(keyfile_to_key_id $key2)
cat <<EOF >vars.sh
Z=$Z
......
......@@ -240,6 +240,15 @@ keyfile_to_initial_keys() {
keyfile_to_keys_section "dnssec-keys" "initial-key" $*
}
# keyfile_to_key_id: convert a key file name to a key ID
#
# For a given key file name (e.g. "Kexample.+013+06160") provided as $1,
# print the key ID with leading zeros stripped ("6160" for the
# aforementioned example).
keyfile_to_key_id() {
echo "$1" | sed "s/.*+0\{0,4\}//"
}
# nextpart*() - functions for reading files incrementally
#
# These functions aim to facilitate looking for (or waiting for)
......
......@@ -20,5 +20,5 @@ cp example.db.in example.db
cat "$keyname.key" >> example.db
echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > keyid
keyfile_to_key_id "$keyname" > keyid
< "$keyname.key" grep -Ev '^;' | cut -f 7- -d ' ' > keydata
......@@ -54,4 +54,4 @@ cp managed.conf ../ns4/managed.conf
# Save keyid for managed key id test.
#
echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > managed.key.id
keyfile_to_key_id "$keyname" > managed.key.id
......@@ -321,8 +321,8 @@ zonefile=${zone}.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
# Save key id's for checking active key usage
echo "$key1" | sed -e 's/.*[+]//' -e 's/^0*//' > $zone.ksk.id
echo "$key2" | sed -e 's/.*[+]//' -e 's/^0*//' > $zone.zsk.id
keyfile_to_key_id "$key1" > $zone.ksk.id
keyfile_to_key_id "$key2" > $zone.zsk.id
echo "${key1}" > $zone.ksk.key
echo "${key2}" > $zone.zsk.key
# Add CDS and CDNSKEY records
......
......@@ -1563,9 +1563,9 @@ ret=0
zone=example
key1=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone)
key2=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
keyid2=$(echo "$key2" | sed 's/^Kexample.+005+0*\([0-9]\)/\1/')
keyid2=$(keyfile_to_key_id "$key2")
key3=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
keyid3=$(echo "$key3" | sed 's/^Kexample.+005+0*\([0-9]\)/\1/')
keyid3=$(keyfile_to_key_id "$key3")
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example.db
......@@ -3951,7 +3951,7 @@ status=$((status+ret))
# Roll the ZSK.
zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
echo "$zsk2" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id2
keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2
ZSK_ID2=`cat ns2/$zone.zsk.id2`
echo_i "load new ZSK $ZSK_ID2 for $zone ($n)"
......@@ -4023,7 +4023,7 @@ mv ns2/$KSK.private.bak ns2/$KSK.private
# Roll the ZSK again.
zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
echo "$zsk3" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id3
keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3
ZSK_ID3=`cat ns2/$zone.zsk.id3`
echo_i "load new ZSK $ZSK_ID3 for $zone ($n)"
......
......@@ -20,14 +20,14 @@ n=1
echo_i "setting key timers"
$SETTIME -A now+15s `cat rolling.key` > /dev/null
inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key`
ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key`
pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key`
postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key`
prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key`
rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`
inact=$(keyfile_to_key_id "$(cat inact.key)")
ksk=$(keyfile_to_key_id "$(cat ksk.key)")
pending=$(keyfile_to_key_id "$(cat pending.key)")
postrev=$(keyfile_to_key_id "$(cat postrev.key)")
prerev=$(keyfile_to_key_id "$(cat prerev.key)")
rolling=$(keyfile_to_key_id "$(cat rolling.key)")
standby=$(keyfile_to_key_id "$(cat standby.key)")
zsk=$(keyfile_to_key_id "$(cat zsk.key)")
echo_i "signing zones"
$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1
......
......@@ -38,6 +38,4 @@ cp unsupported.key "${unsupportedkey}.key"
#
echo "$keyname" > managed.key
echo "$zskkeyname" > zone.key
keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
keyid=`expr $keyid + 0`
echo "$keyid" > managed.key.id
keyfile_to_key_id $keyname > managed.key.id
......@@ -492,7 +492,7 @@ n=`expr $n + 1`
echo_i "revoke key with bad signature, check revocation is ignored ($n)"
ret=0
revoked=`$REVOKE -K ns1 $original`
rkeyid=`expr $revoked : 'ns1/K\.+00.+0*\([1-9]*[0-9]*[0-9]\)'`
rkeyid=$(keyfile_to_key_id $revoked)
rm -f ns1/root.db.signed.jnl
# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from
# failing. Alternatively, we could use -P to disable post-sign verification,
......
......@@ -69,19 +69,19 @@ czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1`
echo_i "signing parent zone"
pzoneout=`$SIGNER -Sg -o $pzone $pfile 2>&1`
czactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
czpublished=`echo $czsk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
czinactive=`echo $czsk4 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
ckactive=`echo $cksk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)$/\1/'`
pzid=`echo $pzsk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
pkid=`echo $pksk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
czactive=$(keyfile_to_key_id $czsk1)
czgenerated=$(keyfile_to_key_id $czsk2)
czpublished=$(keyfile_to_key_id $czsk3)
czinactive=$(keyfile_to_key_id $czsk4)
czpredecessor=$(keyfile_to_key_id $czsk5)
czsuccessor=$(keyfile_to_key_id $czsk6)
ckactive=$(keyfile_to_key_id $cksk1)
ckpublished=$(keyfile_to_key_id $cksk2)
ckprerevoke=$(keyfile_to_key_id $cksk3)
ckrevoked=$(keyfile_to_key_id $cksk4)
pzid=$(keyfile_to_key_id $pzsk)
pkid=$(keyfile_to_key_id $pksk)
echo_i "checking dnssec-signzone output matches expectations"
ret=0
......
......@@ -23,6 +23,6 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
# Sign deliberately with a very short expiration date.
"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
echo "$ksk" | sed -e 's/.*[+]//' -e 's/^0*//' > dnssec.ksk.id
echo "$zsk" | sed -e 's/.*[+]//' -e 's/^0*//' > dnssec.zsk.id
keyfile_to_key_id "$ksk" > dnssec.ksk.id
keyfile_to_key_id "$zsk" > dnssec.zsk.id
......@@ -13,6 +13,6 @@ SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
keyname=`$KEYGEN -T KEY -a DH -b 768 -n host server`
keyid=`echo $keyname | $PERL -p -e 's/^.*\+0{0,4}//;'`
keyid=$(keyfile_to_key_id $keyname)
rm -f named.conf
sed -e "s;KEYID;$keyid;" < named.conf.in > named.conf
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment