Commit a40c60e4 authored by Michał Kępień's avatar Michał Kępień

Fix key ID extraction in the "dnssec" system test

Simply looking for the key ID surrounded by spaces in the tested
dnssec-signzone output file is not a precise enough method of checking
for signatures prepared using a given key ID: it can be tripped up by
cross-algorithm key ID collisions and certain low key IDs (e.g. 60, the
TTL specified in bin/tests/system/dnssec/signer/example.db.in), which
triggers false positives for the "dnssec" system test.  Make key ID
extraction precise by using an awk script which operates on specific
fields.
parent a17aff74
Pipeline #12478 passed with stages
in 13 minutes and 28 seconds
......@@ -1440,6 +1440,19 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
get_rsasha1_key_ids_from_sigs() {
awk '
NF < 8 { next }
$(NF-5) != "RRSIG" { next }
$(NF-3) != "5" { next }
$NF != "(" { next }
{
getline;
print $3;
}
' signer/example.db.signed | sort -u
}
echo_i "checking that we can sign a zone with out-of-zone records ($n)"
ret=0
zone=example
......@@ -1540,8 +1553,8 @@ cat example.db.in "$key1.key" "$key3.key" > example.db
echo "\$INCLUDE \"example.db.signed\"" >> example.db
$SIGNER -D -o example example.db > /dev/null 2>&1
) || ret=1
grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1
grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -1552,8 +1565,8 @@ ret=0
cd signer || exit 1
$SIGNER -RD -o example example.db > /dev/null 2>&1
) || ret=1
grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1
grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -1570,8 +1583,8 @@ echo "\$INCLUDE \"example.db.signed\"" >> example.db
$SETTIME -I now "$key2" > /dev/null 2>&1
$SIGNER -SD -o example example.db > /dev/null 2>&1
) || ret=1
grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1
grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -1582,8 +1595,8 @@ ret=0
cd signer || exit 1
$SIGNER -SDQ -o example example.db > /dev/null 2>&1
) || ret=1
grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1
grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment