ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

sh the fmt up

Browse Source 
Apply shfmt patch. Ideally I fixup every commit that changes testing,
but that is just too much at this point.
This commit is contained in:
Matthijs Mekking
2024-02-26 16:29:59 +01:00
parent e7525cab4f
commit 46785dc71e
2 changed files with 345 additions and 352 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
bin/tests/system/ksr/setup.sh
View File

@@ -24,16 +24,15 @@ mkdir offline
copy_setports named.conf.in named.conf
# Create KSK for the various policies.
create_ksk () {
KSK=$($KEYGEN -l named.conf -fK -k $2 $1 2> keygen.out.$1)
num=0
for ksk in $KSK
do
num=$(($num+1))
cat "${ksk}.key" | grep -v ";.*" > "$1.ksk$num"
cp "${ksk}.key" offline/
cp "${ksk}.private" offline/
done
create_ksk() {
KSK=$($KEYGEN -l named.conf -fK -k $2 $1 2>keygen.out.$1)
num=0
for ksk in $KSK; do
num=$(($num + 1))
cat "${ksk}.key" | grep -v ";.*" >"$1.ksk$num"
cp "${ksk}.key" offline/
cp "${ksk}.private" offline/
done
}
create_ksk common.test common
create_ksk unlimited.test unlimited

678
bin/tests/system/ksr/tests.sh
View File

@@ -25,12 +25,12 @@ n=0
# $1: Value
# $2: Additional time
addtime() {
if [ -x "$PYTHON" ]; then
# Convert "%Y%m%d%H%M%S" format to epoch seconds.
# Then, add the additional time (can be negative).
_value=$1
_plus=$2
$PYTHON > python.out <<EOF
if [ -x "$PYTHON" ]; then
# Convert "%Y%m%d%H%M%S" format to epoch seconds.
# Then, add the additional time (can be negative).
_value=$1
_plus=$2
$PYTHON >python.out <<EOF
from datetime import datetime
from datetime import timedelta
_now = datetime.strptime("$_value", "%Y%m%d%H%M%S")
@@ -38,329 +38,323 @@ _delta = timedelta(seconds=$_plus)
_then = _now + _delta
print(_then.strftime("%Y%m%d%H%M%S"));
EOF
cat python.out
fi
cat python.out
fi
}
# Check keys that were created. The keys created are listed in the latest ksr
# output file, ksr.keygen.out.$n.
# $1: zone name
# $2: key directory
check_keys () (
zone=$1
dir=$2
lifetime=$LIFETIME
alg=$ALG
size=$SIZE
inception=0
pad=$(printf "%03d" "$alg")
check_keys() (
zone=$1
dir=$2
lifetime=$LIFETIME
alg=$ALG
size=$SIZE
inception=0
pad=$(printf "%03d" "$alg")
num=0
for key in $(grep "K${zone}.+$pad+" ksr.keygen.out.$n)
do
grep "; Created:" "${dir}/${key}.key" > created.out || return 1
created=$(awk '{print $3}' < created.out)
test "$num" -eq 0 && retired=$created
# active: retired previous key
active=$retired
# published: 2h5m (dnskey-ttl + publish-safety + propagation)
published=$(addtime $active -7500)
# retired: zsk-lifetime
retired=$(addtime $active $lifetime)
# removed: 10d1h5m (ttlsig + retire-safety + sign-delay + propagation)
removed=$(addtime $retired 867900)
num=0
for key in $(grep "K${zone}.+$pad+" ksr.keygen.out.$n); do
grep "; Created:" "${dir}/${key}.key" >created.out || return 1
created=$(awk '{print $3}' <created.out)
test "$num" -eq 0 && retired=$created
# active: retired previous key
active=$retired
# published: 2h5m (dnskey-ttl + publish-safety + propagation)
published=$(addtime $active -7500)
# retired: zsk-lifetime
retired=$(addtime $active $lifetime)
# removed: 10d1h5m (ttlsig + retire-safety + sign-delay + propagation)
removed=$(addtime $retired 867900)
echo_i "check metadata on $key"
statefile="${dir}/${key}.state"
grep "Algorithm: $alg" $statefile > /dev/null || return 1
grep "Length: $size" $statefile > /dev/null || return 1
grep "Lifetime: $lifetime" $statefile > /dev/null || return 1
grep "KSK: no" $statefile > /dev/null || return 1
grep "ZSK: yes" $statefile > /dev/null || return 1
grep "Published: $published" $statefile > /dev/null || return 1
grep "Active: $active" $statefile > /dev/null || return 1
grep "Retired: $retired" $statefile > /dev/null || return 1
grep "Removed: $removed" $statefile > /dev/null || return 1
echo_i "check metadata on $key"
statefile="${dir}/${key}.state"
grep "Algorithm: $alg" $statefile >/dev/null || return 1
grep "Length: $size" $statefile >/dev/null || return 1
grep "Lifetime: $lifetime" $statefile >/dev/null || return 1
grep "KSK: no" $statefile >/dev/null || return 1
grep "ZSK: yes" $statefile >/dev/null || return 1
grep "Published: $published" $statefile >/dev/null || return 1
grep "Active: $active" $statefile >/dev/null || return 1
grep "Retired: $retired" $statefile >/dev/null || return 1
grep "Removed: $removed" $statefile >/dev/null || return 1
inception=$((inception+lifetime))
num=$((num+1))
inception=$((inception + lifetime))
num=$((num + 1))
# Save some information for testing
cp ${dir}/${key}.key ${key}.key.expect
cp ${dir}/${key}.private ${key}.private.expect
cp ${dir}/${key}.state ${key}.state.expect
cat ${dir}/${key}.key | grep -v ";.*" > "${zone}.${alg}.zsk${num}"
echo $key > "${zone}.${alg}.zsk${num}.id"
done
# Save some information for testing
cp ${dir}/${key}.key ${key}.key.expect
cp ${dir}/${key}.private ${key}.private.expect
cp ${dir}/${key}.state ${key}.state.expect
cat ${dir}/${key}.key | grep -v ";.*" >"${zone}.${alg}.zsk${num}"
echo $key >"${zone}.${alg}.zsk${num}.id"
done
return 0
return 0
)
# Print the DNSKEY records for zone $1, which have keys listed in file $5
# that match the keys with numbers $2 and $3, and match algorithm number $4,
# sorted by keytag.
print_dnskeys () {
for key in $(cat $5 | sort)
do
for num in $2 $3
do
zsk=$(cat $1.$4.zsk$num.id)
if [ "$key" = "$zsk" ]; then
cat $1.$4.zsk$num >> ksr.request.expect.$n
fi
done
done
print_dnskeys() {
for key in $(cat $5 | sort); do
for num in $2 $3; do
zsk=$(cat $1.$4.zsk$num.id)
if [ "$key" = "$zsk" ]; then
cat $1.$4.zsk$num >>ksr.request.expect.$n
fi
done
done
}
# Call the dnssec-ksr command:
# ksr <policy> [options] <command> <zone>
ksr () {
$KSR -l named.conf -k "$@"
ksr() {
$KSR -l named.conf -k "$@"
}
# Unknown action.
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr' errors on unknown action ($n)"
ret=0
ksr common foobar common.test > ksr.foobar.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: unknown command 'foobar'" ksr.foobar.out.$n > /dev/null || ret=1
ksr common foobar common.test >ksr.foobar.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: unknown command 'foobar'" ksr.foobar.out.$n >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Key generation: common
set_zsk () {
ALG=$1
SIZE=$2
LIFETIME=$3
set_zsk() {
ALG=$1
SIZE=$2
LIFETIME=$3
}
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr keygen' errors on missing end date ($n)"
ret=0
ksr common keygen common.test > ksr.keygen.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: keygen requires an end date" ksr.keygen.out.$n > /dev/null|| ret=1
ksr common keygen common.test >ksr.keygen.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: keygen requires an end date" ksr.keygen.out.$n >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr keygen' pregenerates right amount of keys in the common case ($n)"
ret=0
ksr common -i now -e +1y keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1
ksr common -i now -e +1y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
num=$(cat ksr.keygen.out.$n | wc -l)
[ $num -eq 2 ] || ret=1
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
check_keys common.test "." || ret=1
cp ksr.keygen.out.$n ksr.keygen.out.expect
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# save now time
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
grep "; Created:" "${key}.key" > now.out || ret=1
now=$(awk '{print $3}' < now.out)
grep "; Created:" "${key}.key" >now.out || ret=1
now=$(awk '{print $3}' <now.out)
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr keygen' selects pregenerated keys for the same time bundle ($n)"
ret=0
ksr common -e +1y keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1
diff -w ksr.keygen.out.expect ksr.keygen.out.$n > /dev/null|| ret=1
for key in $(cat ksr.keygen.out.$n)
do
# Ensure the files are not modified.
diff ${key}.key ${key}.key.expect > /dev/null || ret=1
diff ${key}.private ${key}.private.expect > /dev/null || ret=1
diff ${key}.state ${key}.state.expect > /dev/null || ret=1
ksr common -e +1y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
diff -w ksr.keygen.out.expect ksr.keygen.out.$n >/dev/null || ret=1
for key in $(cat ksr.keygen.out.$n); do
# Ensure the files are not modified.
diff ${key}.key ${key}.key.expect >/dev/null || ret=1
diff ${key}.private ${key}.private.expect >/dev/null || ret=1
diff ${key}.state ${key}.state.expect >/dev/null || ret=1
done
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Create request: common
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr request' errors on missing end date ($n)"
ret=0
ksr common request common.test > ksr.request.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: request requires an end date" ksr.request.out.$n > /dev/null|| ret=1
ksr common request common.test >ksr.request.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: request requires an end date" ksr.request.out.$n >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr request' creates correct KSR in the common case ($n)"
ret=0
ksr common -i $now -e +1y request common.test > ksr.request.out.$n 2>&1 || ret=1
ksr common -i $now -e +1y request common.test >ksr.request.out.$n 2>&1 || ret=1
# Bundle 1: KSK + ZSK1
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" > ksr.request.expect.$n
cat common.test.ksk1 >> ksr.request.expect.$n
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n
cat common.test.ksk1 >>ksr.request.expect.$n
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
# Bundle 2: KSK + ZSK1 + ZSK2
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat common.test.ksk1 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat common.test.ksk1 >>ksr.request.expect.$n
print_dnskeys common.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect
# Bundle 3: KSK + ZSK2
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat common.test.ksk1 >> ksr.request.expect.$n
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat common.test.ksk1 >>ksr.request.expect.$n
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
# Footer
cp ksr.request.expect.$n ksr.request.expect.base
grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1
cat footer.$n >> ksr.request.expect.$n
grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1
cat footer.$n >>ksr.request.expect.$n
# Check if request output is the same as expected.
diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
# Save request for ksr sign operation.
cp ksr.request.expect.$n ksr.request.expect
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Sign request: common
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr sign' errors on missing KSR file ($n)"
ret=0
ksr common -i $now -e +1y sign common.test > ksr.sign.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: 'sign' requires a KSR file" ksr.sign.out.$n > /dev/null || ret=1
ksr common -i $now -e +1y sign common.test >ksr.sign.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: 'sign' requires a KSR file" ksr.sign.out.$n >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr sign' creates correct SKR in the common case ($n)"
ret=0
ksr common -i $now -e +1y -K offline -f ksr.request.expect sign common.test > ksr.sign.out.$n 2>&1 || ret=1
ksr common -i $now -e +1y -K offline -f ksr.request.expect sign common.test >ksr.sign.out.$n 2>&1 || ret=1
_update_expected_zsks() {
zsk=$((zsk+1))
next=$((next+1))
inception=$rollover_done
if [ "$next" -le "$numzsks" ]; then
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}"
zsk1=$(cat $key1.id)
zsk2=$(cat $key2.id)
rollover_start=$(cat $zsk2.state | grep "Published" | awk '{print $2}')
rollover_done=$(cat $zsk1.state | grep "Removed" | awk '{print $2}')
else
# No more expected rollovers.
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
zsk1=$(cat $key1.id)
rollover_start=$((end+1))
rollover_done=$((end+1))
fi
zsk=$((zsk + 1))
next=$((next + 1))
inception=$rollover_done
if [ "$next" -le "$numzsks" ]; then
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}"
zsk1=$(cat $key1.id)
zsk2=$(cat $key2.id)
rollover_start=$(cat $zsk2.state | grep "Published" | awk '{print $2}')
rollover_done=$(cat $zsk1.state | grep "Removed" | awk '{print $2}')
else
# No more expected rollovers.
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
zsk1=$(cat $key1.id)
rollover_start=$((end + 1))
rollover_done=$((end + 1))
fi
}
check_ksr() {
_ret=0
zone=$1
file=$2
start=$3
end=$4
numzsks=$5
_ret=0
zone=$1
file=$2
start=$3
end=$4
numzsks=$5
echo_i "check ksr: zone $1 file $2 from $3 to $4 num-zsk $5"
echo_i "check ksr: zone $1 file $2 from $3 to $4 num-zsk $5"
# Initial state: not in a rollover, expect a SignedKeyResponse header
# on the first line, start with the first ZSK (set zsk=0 so when we
# call _update_expected_zsks, zsk is set to 1.
rollover=0
expect="header"
zsk=0
next=1
rollover_done=$start
_update_expected_zsks
# Initial state: not in a rollover, expect a SignedKeyResponse header
# on the first line, start with the first ZSK (set zsk=0 so when we
# call _update_expected_zsks, zsk is set to 1.
rollover=0
expect="header"
zsk=0
next=1
rollover_done=$start
_update_expected_zsks
echo_i "check ksr: inception $inception rollover-start $rollover_start rollover-done $rollover_done"
echo_i "check ksr: inception $inception rollover-start $rollover_start rollover-done $rollover_done"
lineno=0
while IFS= read -r line
do
# A single signed key response will consist of:
# ;; SignedKeyResponse (header)
# ;; DNSKEY 257 (ksk)
# ;; one or two (during rollover) DNSKEY 256 (zsk1, zsk2)
# ;; RRSIG (rrsig)
err=0
lineno=$((lineno+1))
lineno=0
while IFS= read -r line; do
# A single signed key response will consist of:
# ;; SignedKeyResponse (header)
# ;; DNSKEY 257 (ksk)
# ;; one or two (during rollover) DNSKEY 256 (zsk1, zsk2)
# ;; RRSIG (rrsig)
err=0
lineno=$((lineno + 1))
# skip empty lines
if [ -z "$line" ]; then
continue
fi
# skip empty lines
if [ -z "$line" ]; then
continue
fi
if [ "$expect" = "header" ]; then
expected=";; SignedKeyResponse 1.0 $inception"
echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1
next_inception=$(addtime $inception 777600)
expect="ksk"
elif [ "$expect" = "ksk" ]; then
expected="$(cat ${zone}.ksk1)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1
expect="zsk1"
elif [ "$expect" = "zsk1" ]; then
expected="$(cat $key1)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1
expect="rrsig"
[ "$rollover" -eq 1 ] && expect="zsk2"
elif [ "$expect" = "zsk2" ]; then
expected="$(cat $key2)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1
expect="rrsig"
elif [ "$expect" = "rrsig" ]; then
expiration=$(addtime $inception 1209600) # signature-validity 14 days
inception=$(addtime $inception -3600) # adjust for one hour clock skew
expected="${zone}. 3600 IN RRSIG DNSKEY 13 2 3600 $expiration $inception"
echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1
if [ "$expect" = "header" ]; then
expected=";; SignedKeyResponse 1.0 $inception"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
next_inception=$(addtime $inception 777600)
expect="ksk"
elif [ "$expect" = "ksk" ]; then
expected="$(cat ${zone}.ksk1)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
expect="zsk1"
elif [ "$expect" = "zsk1" ]; then
expected="$(cat $key1)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
expect="rrsig"
[ "$rollover" -eq 1 ] && expect="zsk2"
elif [ "$expect" = "zsk2" ]; then
expected="$(cat $key2)"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
expect="rrsig"
elif [ "$expect" = "rrsig" ]; then
expiration=$(addtime $inception 1209600) # signature-validity 14 days
inception=$(addtime $inception -3600) # adjust for one hour clock skew
expected="${zone}. 3600 IN RRSIG DNSKEY 13 2 3600 $expiration $inception"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
inception=$next_inception
expect="header"
inception=$next_inception
expect="header"
# Update rollover status if required.
if [ "$inception" -ge "$end" ]; then
expect="footer"
elif [ "$inception" -ge "$rollover_done" ]; then
[ "$rollover" -eq 1 ] && inception=$rollover_done
rollover=0
_update_expected_zsks
elif [ "$inception" -ge "$rollover_start" ]; then
[ "$rollover" -eq 0 ] && inception=$rollover_start
rollover=1
# Keys will be sorted, so during a rollover a key with a
# lower keytag will be printed first. Update key1/key2 and
# zsk1/zsk2 accordingly.
id1=$(keyfile_to_key_id "$zsk1")
id2=$(keyfile_to_key_id "$zsk2")
if [ $id1 -gt $id2 ]; then
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}"
key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
zsk1=$(cat $key1.id)
zsk2=$(cat $key2.id)
fi
fi
elif [ "$expect" = "footer" ]; then
expected=";; SignedKeyResponse 1.0 generated at"
echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1
# Update rollover status if required.
if [ "$inception" -ge "$end" ]; then
expect="footer"
elif [ "$inception" -ge "$rollover_done" ]; then
[ "$rollover" -eq 1 ] && inception=$rollover_done
rollover=0
_update_expected_zsks
elif [ "$inception" -ge "$rollover_start" ]; then
[ "$rollover" -eq 0 ] && inception=$rollover_start
rollover=1
# Keys will be sorted, so during a rollover a key with a
# lower keytag will be printed first. Update key1/key2 and
# zsk1/zsk2 accordingly.
id1=$(keyfile_to_key_id "$zsk1")
id2=$(keyfile_to_key_id "$zsk2")
if [ $id1 -gt $id2 ]; then
key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}"
key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}"
zsk1=$(cat $key1.id)
zsk2=$(cat $key2.id)
fi
fi
elif [ "$expect" = "footer" ]; then
expected=";; SignedKeyResponse 1.0 generated at"
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
expect="eof"
elif [ "$expect" = "eof" ]; then
expected="EOF"
echo_i "failed: expected EOF"
err=1
else
echo_i "failed: bad expect value $expect"
err=1
fi
expect="eof"
elif [ "$expect" = "eof" ]; then
expected="EOF"
echo_i "failed: expected EOF"
err=1
else
echo_i "failed: bad expect value $expect"
err=1
fi
echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1
if [ "$err" -ne 0 ]; then
echo_i "unexpected data on line $lineno:"
echo_i "line: $(echo $line | tr -s ' ')"
echo_i "expected: $expected"
fi
echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1
if [ "$err" -ne 0 ]; then
echo_i "unexpected data on line $lineno:"
echo_i "line: $(echo $line | tr -s ' ')"
echo_i "expected: $expected"
fi
_ret=$((_ret+err))
done < $file
_ret=$((_ret + err))
done <$file
return $_ret
return $_ret
}
zsk1=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
@@ -368,24 +362,24 @@ start=$(cat $zsk1.state | grep "Generated" | awk '{print $2}')
end=$(addtime $start 31536000) # one year
check_ksr "common.test" "ksr.sign.out.$n" $start $end 2 || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Key generation: common (2)
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr keygen' pregenerates keys in the given key-directory ($n)"
ret=0
ksr common -e +1y -K keydir keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1
ksr common -e +1y -K keydir keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
num=$(cat ksr.keygen.out.$n | wc -l)
[ $num -eq 2 ] || ret=1
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
check_keys common.test keydir || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr keygen' selects generates only necessary keys for overlapping time bundle ($n)"
ret=0
ksr common -e +2y -v 1 keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1
ksr common -e +2y -v 1 keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
num=$(cat ksr.keygen.out.$n | wc -l)
[ $num -eq 4 ] || ret=1
# 2 selected, 2 generated
@@ -395,162 +389,162 @@ num=$(grep "Generating" ksr.keygen.out.$n | wc -l)
[ $num -eq 2 ] || ret=1
cp ksr.keygen.out.$n ksr.keygen.out.expect
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "run 'dnssec-ksr keygen' again with verbosity 0 ($n)"
ret=0
ksr common -i $now -e +2y keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1
ksr common -i $now -e +2y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1
num=$(cat ksr.keygen.out.$n | wc -l)
[ $num -eq 4 ] || ret=1
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
check_keys common.test "." || ret=1
cp ksr.keygen.out.$n ksr.keygen.out.expect
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Create request: common (2)
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr request' creates correct KSR if the interval is shorter ($n)"
ret=0
ksr common -i $now -e +1y request common.test > ksr.request.out.$n 2>&1 || ret=1
ksr common -i $now -e +1y request common.test >ksr.request.out.$n 2>&1 || ret=1
# Same as earlier.
cp ksr.request.expect.base ksr.request.expect.$n
grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1
cat footer.$n >> ksr.request.expect.$n
diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1
grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1
cat footer.$n >>ksr.request.expect.$n
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr request' creates correct KSR with new interval ($n)"
ret=0
ksr common -i $now -e +2y request common.test > ksr.request.out.$n 2>&1 || ret=1
ksr common -i $now -e +2y request common.test >ksr.request.out.$n 2>&1 || ret=1
cp ksr.request.expect.base ksr.request.expect.$n
# Bundle 4: KSK + ZSK2 + ZSK3
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3.id)
inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat common.test.ksk1 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat common.test.ksk1 >>ksr.request.expect.$n
print_dnskeys common.test 2 3 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect
# Bundle 5: KSK + ZSK3
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat common.test.ksk1 >> ksr.request.expect.$n
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat common.test.ksk1 >>ksr.request.expect.$n
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3 >>ksr.request.expect.$n
# Bundle 6: KSK + ZSK3 + ZSK4
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4.id)
inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat common.test.ksk1 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat common.test.ksk1 >>ksr.request.expect.$n
print_dnskeys common.test 3 4 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect
# Bundle 7: KSK + ZSK4
key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3.id)
inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat common.test.ksk1 >> ksr.request.expect.$n
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat common.test.ksk1 >>ksr.request.expect.$n
cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4 >>ksr.request.expect.$n
# Footer
cp ksr.request.expect.$n ksr.request.expect.base
grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1
cat footer.$n >> ksr.request.expect.$n
diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1
grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1
cat footer.$n >>ksr.request.expect.$n
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
# Save request for ksr sign operation.
cp ksr.request.expect.$n ksr.request.expect
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr request' errors if there are not enough keys ($n)"
ret=0
ksr common -i $now -e +3y request common.test > ksr.request.out.$n 2> ksr.request.err.$n && ret=1
grep "dnssec-ksr: fatal: no common.test/ECDSAP256SHA256 zsk key pair found for bundle" ksr.request.err.$n > /dev/null || ret=1
ksr common -i $now -e +3y request common.test >ksr.request.out.$n 2>ksr.request.err.$n && ret=1
grep "dnssec-ksr: fatal: no common.test/ECDSAP256SHA256 zsk key pair found for bundle" ksr.request.err.$n >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Sign request: common (2)
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr sign' creates correct SKR with the new interval ($n)"
ret=0
ksr common -i $now -e +2y -K offline -f ksr.request.expect sign common.test > ksr.sign.out.$n 2>&1 || ret=1
ksr common -i $now -e +2y -K offline -f ksr.request.expect sign common.test >ksr.sign.out.$n 2>&1 || ret=1
start=$(cat $zsk1.state | grep "Generated" | awk '{print $2}')
end=$(addtime $start 63072000) # two years
check_ksr "common.test" "ksr.sign.out.$n" $start $end 4 || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Key generation: csk
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr keygen' creates no keys for policy with csk ($n)"
ret=0
ksr csk -e +2y keygen csk.test > ksr.keygen.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: policy 'csk' has no zsks" ksr.keygen.out.$n > /dev/null || ret=1
ksr csk -e +2y keygen csk.test >ksr.keygen.out.$n 2>&1 && ret=1
grep "dnssec-ksr: fatal: policy 'csk' has no zsks" ksr.keygen.out.$n >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Key generation: unlimited
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr keygen' creates only one key for zsk with unlimited lifetime ($n)"
ret=0
ksr unlimited -e +2y keygen unlimited.test > ksr.keygen.out.$n 2>&1 || ret=1
ksr unlimited -e +2y keygen unlimited.test >ksr.keygen.out.$n 2>&1 || ret=1
num=$(cat ksr.keygen.out.$n | wc -l)
[ $num -eq 1 ] || ret=1
key=$(cat ksr.keygen.out.$n)
grep "; Created:" "${key}.key" > created.out || ret=1
created=$(awk '{print $3}' < created.out)
grep "; Created:" "${key}.key" >created.out || ret=1
created=$(awk '{print $3}' <created.out)
active=$created
published=$(addtime $active -7500)
echo_i "check metadata on $key"
grep "Algorithm: $DEFAULT_ALGORITHM_NUMBER" ${key}.state > /dev/null || ret=1
grep "Length: $DEFAULT_BITS" ${key}.state > /dev/null || ret=1
grep "Lifetime: 0" ${key}.state > /dev/null || ret=1
grep "KSK: no" ${key}.state > /dev/null || ret=1
grep "ZSK: yes" ${key}.state > /dev/null || ret=1
grep "Published: $published" ${key}.state > /dev/null || ret=1
grep "Active: $active" ${key}.state > /dev/null || ret=1
grep "Retired:" ${key}.state > /dev/null && ret=1
grep "Removed:" ${key}.state > /dev/null && ret=1
cat ${key}.key | grep -v ";.*" > unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1
echo $key > "unlimited.test.${DEFAULT_ALGORITHM_NUMBER}.zsk1.id"
grep "Algorithm: $DEFAULT_ALGORITHM_NUMBER" ${key}.state >/dev/null || ret=1
grep "Length: $DEFAULT_BITS" ${key}.state >/dev/null || ret=1
grep "Lifetime: 0" ${key}.state >/dev/null || ret=1
grep "KSK: no" ${key}.state >/dev/null || ret=1
grep "ZSK: yes" ${key}.state >/dev/null || ret=1
grep "Published: $published" ${key}.state >/dev/null || ret=1
grep "Active: $active" ${key}.state >/dev/null || ret=1
grep "Retired:" ${key}.state >/dev/null && ret=1
grep "Removed:" ${key}.state >/dev/null && ret=1
cat ${key}.key | grep -v ";.*" >unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1
echo $key >"unlimited.test.${DEFAULT_ALGORITHM_NUMBER}.zsk1.id"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Create request: unlimited
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr request' creates correct KSR with unlimited zsk ($n)"
ret=0
ksr unlimited -i $created -e +4y request unlimited.test > ksr.request.out.$n 2>&1 || ret=1
ksr unlimited -i $created -e +4y request unlimited.test >ksr.request.out.$n 2>&1 || ret=1
# Only one bundle: KSK + ZSK
inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" > ksr.request.expect.$n
cat unlimited.test.ksk1 >> ksr.request.expect.$n
cat unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n
cat unlimited.test.ksk1 >>ksr.request.expect.$n
cat unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
# Footer
grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1
cat footer.$n >> ksr.request.expect.$n
diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1
grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1
cat footer.$n >>ksr.request.expect.$n
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
# Save request for ksr sign operation.
cp ksr.request.expect.$n ksr.request.expect
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Sign request: unlimited
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr sign' creates correct SKR with unlimited zsk ($n)"
ret=0
ksr unlimited -i $created -e +4y -K offline -f ksr.request.expect sign unlimited.test > ksr.sign.out.$n 2>&1 || ret=1
ksr unlimited -i $created -e +4y -K offline -f ksr.request.expect sign unlimited.test >ksr.sign.out.$n 2>&1 || ret=1
start=$(cat $key.state | grep "Generated" | awk '{print $2}')
end=$(addtime $start 126144000) # four years
check_ksr "unlimited.test" "ksr.sign.out.$n" $start $end 1 || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Key generation: two-tone
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr keygen' creates keys for different algorithms ($n)"
ret=0
ksr two-tone -e +1y keygen two-tone.test > ksr.keygen.out.$n 2>&1 || ret=1
ksr two-tone -e +1y keygen two-tone.test >ksr.keygen.out.$n 2>&1 || ret=1
# First algorithm keys have a lifetime of 3 months, so there should be 4 created keys.
alg=$(printf "%03d" "$DEFAULT_ALGORITHM_NUMBER")
num=$(grep "Ktwo-tone.test.+$alg+" ksr.keygen.out.$n | wc -l)
@@ -568,16 +562,16 @@ set_zsk $ALTERNATIVE_ALGORITHM_NUMBER $ALTERNATIVE_BITS 13392000
check_keys two-tone.test "." $ALTERNATIVE_ALGORITHM_NUMBER 13392000 || ret=1
cp ksr.keygen.out.$n ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Create request: two-tone
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr request' creates correct KSR with multiple algorithms ($n)"
ret=0
key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
grep "; Created:" "${key}.key" > created.out || ret=1
created=$(awk '{print $3}' < created.out)
ksr two-tone -i $created -e +6mo request two-tone.test > ksr.request.out.$n 2>&1 || ret=1
grep "; Created:" "${key}.key" >created.out || ret=1
created=$(awk '{print $3}' <created.out)
ksr two-tone -i $created -e +6mo request two-tone.test >ksr.request.out.$n 2>&1 || ret=1
# The two-tone policy uses two sets of KSK/ZSK with different algorithms. One
# set uses the default algorithm (denoted as A below), the other is using the
# alternative algorithm (denoted as B). The A-ZSKs roll every three months,
@@ -589,58 +583,58 @@ ksr two-tone -i $created -e +6mo request two-tone.test > ksr.request.out.$n 2>&1
# Bundle 1: KSK-A1, KSK-B1, ZSK-A1, ZSK-B1
key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" > ksr.request.expect.$n
cat two-tone.test.ksk1 >> ksr.request.expect.$n
cat two-tone.test.ksk2 >> ksr.request.expect.$n
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n
cat two-tone.test.ksk1 >>ksr.request.expect.$n
cat two-tone.test.ksk2 >>ksr.request.expect.$n
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
# Bundle 2: KSK-A1, KSK-B1, ZSK-A1 + ZSK-A2, ZSK-B1
key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat two-tone.test.ksk1 >> ksr.request.expect.$n
cat two-tone.test.ksk2 >> ksr.request.expect.$n
print_dnskeys two-tone.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect.$DEFAULT_ALGORITHM_NUMBER >> ksr.request.expect.$n
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat two-tone.test.ksk1 >>ksr.request.expect.$n
cat two-tone.test.ksk2 >>ksr.request.expect.$n
print_dnskeys two-tone.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect.$DEFAULT_ALGORITHM_NUMBER >>ksr.request.expect.$n
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
# Bundle 3: KSK-A1, KSK-B1, ZSK-A2, ZSK-B1
key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat two-tone.test.ksk1 >> ksr.request.expect.$n
cat two-tone.test.ksk2 >> ksr.request.expect.$n
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat two-tone.test.ksk1 >>ksr.request.expect.$n
cat two-tone.test.ksk2 >>ksr.request.expect.$n
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n
# Bundle 4: KSK-A1, KSK-B1, ZSK-A2, ZSK-B1 + ZSK-B2
key=$(cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2.id)
inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat two-tone.test.ksk1 >> ksr.request.expect.$n
cat two-tone.test.ksk2 >> ksr.request.expect.$n
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n
print_dnskeys two-tone.test 1 2 $ALTERNATIVE_ALGORITHM_NUMBER ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat two-tone.test.ksk1 >>ksr.request.expect.$n
cat two-tone.test.ksk2 >>ksr.request.expect.$n
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
print_dnskeys two-tone.test 1 2 $ALTERNATIVE_ALGORITHM_NUMBER ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER >>ksr.request.expect.$n
# Bundle 5: KSK-A1, KSK-B1, ZSK-A2, ZSK-B2
key=$(cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1.id)
inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-)
echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n
cat two-tone.test.ksk1 >> ksr.request.expect.$n
cat two-tone.test.ksk2 >> ksr.request.expect.$n
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n
echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n
cat two-tone.test.ksk1 >>ksr.request.expect.$n
cat two-tone.test.ksk2 >>ksr.request.expect.$n
cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n
# Footer
grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1
cat footer.$n >> ksr.request.expect.$n
grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1
cat footer.$n >>ksr.request.expect.$n
# Check the KSR request against the expected request.
diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1
diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1
# Save request for ksr sign operation.
cp ksr.request.expect.$n ksr.request.expect
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
# Sign request: two-tone
n=$((n+1))
n=$((n + 1))
echo_i "check that 'dnssec-ksr sign' creates correct SKR with multiple algorithms ($n)"
ret=0
ksr two-tone -i $created -e +6mo -K offline -f ksr.request.expect sign two-tone.test > ksr.sign.out.$n 2>&1 || ret=1
ksr two-tone -i $created -e +6mo -K offline -f ksr.request.expect sign two-tone.test >ksr.sign.out.$n 2>&1 || ret=1
# Weak testing:
zone="two-tone.test"
# expect 24 headers (including the footer)
@@ -663,7 +657,7 @@ lines=$(grep "DNSKEY.*256 3 13" ksr.sign.out.$n | wc -l)
test "$lines" -eq 25 || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1