diff --git a/bin/tests/system/ksr/setup.sh b/bin/tests/system/ksr/setup.sh index e4cc852b23..acce084d8a 100644 --- a/bin/tests/system/ksr/setup.sh +++ b/bin/tests/system/ksr/setup.sh @@ -24,16 +24,15 @@ mkdir offline copy_setports named.conf.in named.conf # Create KSK for the various policies. -create_ksk () { - KSK=$($KEYGEN -l named.conf -fK -k $2 $1 2> keygen.out.$1) - num=0 - for ksk in $KSK - do - num=$(($num+1)) - cat "${ksk}.key" | grep -v ";.*" > "$1.ksk$num" - cp "${ksk}.key" offline/ - cp "${ksk}.private" offline/ - done +create_ksk() { + KSK=$($KEYGEN -l named.conf -fK -k $2 $1 2>keygen.out.$1) + num=0 + for ksk in $KSK; do + num=$(($num + 1)) + cat "${ksk}.key" | grep -v ";.*" >"$1.ksk$num" + cp "${ksk}.key" offline/ + cp "${ksk}.private" offline/ + done } create_ksk common.test common create_ksk unlimited.test unlimited diff --git a/bin/tests/system/ksr/tests.sh b/bin/tests/system/ksr/tests.sh index 8eff4af0af..c785955c3e 100644 --- a/bin/tests/system/ksr/tests.sh +++ b/bin/tests/system/ksr/tests.sh @@ -25,12 +25,12 @@ n=0 # $1: Value # $2: Additional time addtime() { - if [ -x "$PYTHON" ]; then - # Convert "%Y%m%d%H%M%S" format to epoch seconds. - # Then, add the additional time (can be negative). - _value=$1 - _plus=$2 - $PYTHON > python.out <python.out < created.out || return 1 - created=$(awk '{print $3}' < created.out) - test "$num" -eq 0 && retired=$created - # active: retired previous key - active=$retired - # published: 2h5m (dnskey-ttl + publish-safety + propagation) - published=$(addtime $active -7500) - # retired: zsk-lifetime - retired=$(addtime $active $lifetime) - # removed: 10d1h5m (ttlsig + retire-safety + sign-delay + propagation) - removed=$(addtime $retired 867900) + num=0 + for key in $(grep "K${zone}.+$pad+" ksr.keygen.out.$n); do + grep "; Created:" "${dir}/${key}.key" >created.out || return 1 + created=$(awk '{print $3}' /dev/null || return 1 - grep "Length: $size" $statefile > /dev/null || return 1 - grep "Lifetime: $lifetime" $statefile > /dev/null || return 1 - grep "KSK: no" $statefile > /dev/null || return 1 - grep "ZSK: yes" $statefile > /dev/null || return 1 - grep "Published: $published" $statefile > /dev/null || return 1 - grep "Active: $active" $statefile > /dev/null || return 1 - grep "Retired: $retired" $statefile > /dev/null || return 1 - grep "Removed: $removed" $statefile > /dev/null || return 1 + echo_i "check metadata on $key" + statefile="${dir}/${key}.state" + grep "Algorithm: $alg" $statefile >/dev/null || return 1 + grep "Length: $size" $statefile >/dev/null || return 1 + grep "Lifetime: $lifetime" $statefile >/dev/null || return 1 + grep "KSK: no" $statefile >/dev/null || return 1 + grep "ZSK: yes" $statefile >/dev/null || return 1 + grep "Published: $published" $statefile >/dev/null || return 1 + grep "Active: $active" $statefile >/dev/null || return 1 + grep "Retired: $retired" $statefile >/dev/null || return 1 + grep "Removed: $removed" $statefile >/dev/null || return 1 - inception=$((inception+lifetime)) - num=$((num+1)) + inception=$((inception + lifetime)) + num=$((num + 1)) - # Save some information for testing - cp ${dir}/${key}.key ${key}.key.expect - cp ${dir}/${key}.private ${key}.private.expect - cp ${dir}/${key}.state ${key}.state.expect - cat ${dir}/${key}.key | grep -v ";.*" > "${zone}.${alg}.zsk${num}" - echo $key > "${zone}.${alg}.zsk${num}.id" - done + # Save some information for testing + cp ${dir}/${key}.key ${key}.key.expect + cp ${dir}/${key}.private ${key}.private.expect + cp ${dir}/${key}.state ${key}.state.expect + cat ${dir}/${key}.key | grep -v ";.*" >"${zone}.${alg}.zsk${num}" + echo $key >"${zone}.${alg}.zsk${num}.id" + done - return 0 + return 0 ) # Print the DNSKEY records for zone $1, which have keys listed in file $5 # that match the keys with numbers $2 and $3, and match algorithm number $4, # sorted by keytag. -print_dnskeys () { - for key in $(cat $5 | sort) - do - for num in $2 $3 - do - zsk=$(cat $1.$4.zsk$num.id) - if [ "$key" = "$zsk" ]; then - cat $1.$4.zsk$num >> ksr.request.expect.$n - fi - done - done +print_dnskeys() { + for key in $(cat $5 | sort); do + for num in $2 $3; do + zsk=$(cat $1.$4.zsk$num.id) + if [ "$key" = "$zsk" ]; then + cat $1.$4.zsk$num >>ksr.request.expect.$n + fi + done + done } # Call the dnssec-ksr command: # ksr [options] -ksr () { - $KSR -l named.conf -k "$@" +ksr() { + $KSR -l named.conf -k "$@" } # Unknown action. -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr' errors on unknown action ($n)" ret=0 -ksr common foobar common.test > ksr.foobar.out.$n 2>&1 && ret=1 -grep "dnssec-ksr: fatal: unknown command 'foobar'" ksr.foobar.out.$n > /dev/null || ret=1 +ksr common foobar common.test >ksr.foobar.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: unknown command 'foobar'" ksr.foobar.out.$n >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Key generation: common -set_zsk () { - ALG=$1 - SIZE=$2 - LIFETIME=$3 +set_zsk() { + ALG=$1 + SIZE=$2 + LIFETIME=$3 } -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr keygen' errors on missing end date ($n)" ret=0 -ksr common keygen common.test > ksr.keygen.out.$n 2>&1 && ret=1 -grep "dnssec-ksr: fatal: keygen requires an end date" ksr.keygen.out.$n > /dev/null|| ret=1 +ksr common keygen common.test >ksr.keygen.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: keygen requires an end date" ksr.keygen.out.$n >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr keygen' pregenerates right amount of keys in the common case ($n)" ret=0 -ksr common -i now -e +1y keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +ksr common -i now -e +1y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1 num=$(cat ksr.keygen.out.$n | wc -l) [ $num -eq 2 ] || ret=1 set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 check_keys common.test "." || ret=1 cp ksr.keygen.out.$n ksr.keygen.out.expect test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # save now time key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) -grep "; Created:" "${key}.key" > now.out || ret=1 -now=$(awk '{print $3}' < now.out) +grep "; Created:" "${key}.key" >now.out || ret=1 +now=$(awk '{print $3}' ksr.keygen.out.$n 2>&1 || ret=1 -diff -w ksr.keygen.out.expect ksr.keygen.out.$n > /dev/null|| ret=1 -for key in $(cat ksr.keygen.out.$n) -do - # Ensure the files are not modified. - diff ${key}.key ${key}.key.expect > /dev/null || ret=1 - diff ${key}.private ${key}.private.expect > /dev/null || ret=1 - diff ${key}.state ${key}.state.expect > /dev/null || ret=1 +ksr common -e +1y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1 +diff -w ksr.keygen.out.expect ksr.keygen.out.$n >/dev/null || ret=1 +for key in $(cat ksr.keygen.out.$n); do + # Ensure the files are not modified. + diff ${key}.key ${key}.key.expect >/dev/null || ret=1 + diff ${key}.private ${key}.private.expect >/dev/null || ret=1 + diff ${key}.state ${key}.state.expect >/dev/null || ret=1 done test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Create request: common -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr request' errors on missing end date ($n)" ret=0 -ksr common request common.test > ksr.request.out.$n 2>&1 && ret=1 -grep "dnssec-ksr: fatal: request requires an end date" ksr.request.out.$n > /dev/null|| ret=1 +ksr common request common.test >ksr.request.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: request requires an end date" ksr.request.out.$n >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr request' creates correct KSR in the common case ($n)" ret=0 -ksr common -i $now -e +1y request common.test > ksr.request.out.$n 2>&1 || ret=1 +ksr common -i $now -e +1y request common.test >ksr.request.out.$n 2>&1 || ret=1 # Bundle 1: KSK + ZSK1 key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" > ksr.request.expect.$n -cat common.test.ksk1 >> ksr.request.expect.$n -cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n +cat common.test.ksk1 >>ksr.request.expect.$n +cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n # Bundle 2: KSK + ZSK1 + ZSK2 key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id) inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat common.test.ksk1 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat common.test.ksk1 >>ksr.request.expect.$n print_dnskeys common.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect # Bundle 3: KSK + ZSK2 key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat common.test.ksk1 >> ksr.request.expect.$n -cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat common.test.ksk1 >>ksr.request.expect.$n +cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n # Footer cp ksr.request.expect.$n ksr.request.expect.base -grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1 -cat footer.$n >> ksr.request.expect.$n +grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1 +cat footer.$n >>ksr.request.expect.$n # Check if request output is the same as expected. -diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 +diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1 # Save request for ksr sign operation. cp ksr.request.expect.$n ksr.request.expect test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Sign request: common -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr sign' errors on missing KSR file ($n)" ret=0 -ksr common -i $now -e +1y sign common.test > ksr.sign.out.$n 2>&1 && ret=1 -grep "dnssec-ksr: fatal: 'sign' requires a KSR file" ksr.sign.out.$n > /dev/null || ret=1 +ksr common -i $now -e +1y sign common.test >ksr.sign.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: 'sign' requires a KSR file" ksr.sign.out.$n >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr sign' creates correct SKR in the common case ($n)" ret=0 -ksr common -i $now -e +1y -K offline -f ksr.request.expect sign common.test > ksr.sign.out.$n 2>&1 || ret=1 - +ksr common -i $now -e +1y -K offline -f ksr.request.expect sign common.test >ksr.sign.out.$n 2>&1 || ret=1 _update_expected_zsks() { - zsk=$((zsk+1)) - next=$((next+1)) - inception=$rollover_done - if [ "$next" -le "$numzsks" ]; then - key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}" - key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}" - zsk1=$(cat $key1.id) - zsk2=$(cat $key2.id) - rollover_start=$(cat $zsk2.state | grep "Published" | awk '{print $2}') - rollover_done=$(cat $zsk1.state | grep "Removed" | awk '{print $2}') - else - # No more expected rollovers. - key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}" - zsk1=$(cat $key1.id) - rollover_start=$((end+1)) - rollover_done=$((end+1)) - fi + zsk=$((zsk + 1)) + next=$((next + 1)) + inception=$rollover_done + if [ "$next" -le "$numzsks" ]; then + key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}" + key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}" + zsk1=$(cat $key1.id) + zsk2=$(cat $key2.id) + rollover_start=$(cat $zsk2.state | grep "Published" | awk '{print $2}') + rollover_done=$(cat $zsk1.state | grep "Removed" | awk '{print $2}') + else + # No more expected rollovers. + key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}" + zsk1=$(cat $key1.id) + rollover_start=$((end + 1)) + rollover_done=$((end + 1)) + fi } check_ksr() { - _ret=0 - zone=$1 - file=$2 - start=$3 - end=$4 - numzsks=$5 + _ret=0 + zone=$1 + file=$2 + start=$3 + end=$4 + numzsks=$5 - echo_i "check ksr: zone $1 file $2 from $3 to $4 num-zsk $5" + echo_i "check ksr: zone $1 file $2 from $3 to $4 num-zsk $5" - # Initial state: not in a rollover, expect a SignedKeyResponse header - # on the first line, start with the first ZSK (set zsk=0 so when we - # call _update_expected_zsks, zsk is set to 1. - rollover=0 - expect="header" - zsk=0 - next=1 - rollover_done=$start - _update_expected_zsks + # Initial state: not in a rollover, expect a SignedKeyResponse header + # on the first line, start with the first ZSK (set zsk=0 so when we + # call _update_expected_zsks, zsk is set to 1. + rollover=0 + expect="header" + zsk=0 + next=1 + rollover_done=$start + _update_expected_zsks - echo_i "check ksr: inception $inception rollover-start $rollover_start rollover-done $rollover_done" + echo_i "check ksr: inception $inception rollover-start $rollover_start rollover-done $rollover_done" - lineno=0 - while IFS= read -r line - do - # A single signed key response will consist of: - # ;; SignedKeyResponse (header) - # ;; DNSKEY 257 (ksk) - # ;; one or two (during rollover) DNSKEY 256 (zsk1, zsk2) - # ;; RRSIG (rrsig) - err=0 - lineno=$((lineno+1)) + lineno=0 + while IFS= read -r line; do + # A single signed key response will consist of: + # ;; SignedKeyResponse (header) + # ;; DNSKEY 257 (ksk) + # ;; one or two (during rollover) DNSKEY 256 (zsk1, zsk2) + # ;; RRSIG (rrsig) + err=0 + lineno=$((lineno + 1)) - # skip empty lines - if [ -z "$line" ]; then - continue - fi + # skip empty lines + if [ -z "$line" ]; then + continue + fi - if [ "$expect" = "header" ]; then - expected=";; SignedKeyResponse 1.0 $inception" - echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1 - next_inception=$(addtime $inception 777600) - expect="ksk" - elif [ "$expect" = "ksk" ]; then - expected="$(cat ${zone}.ksk1)" - echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1 - expect="zsk1" - elif [ "$expect" = "zsk1" ]; then - expected="$(cat $key1)" - echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1 - expect="rrsig" - [ "$rollover" -eq 1 ] && expect="zsk2" - elif [ "$expect" = "zsk2" ]; then - expected="$(cat $key2)" - echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1 - expect="rrsig" - elif [ "$expect" = "rrsig" ]; then - expiration=$(addtime $inception 1209600) # signature-validity 14 days - inception=$(addtime $inception -3600) # adjust for one hour clock skew - expected="${zone}. 3600 IN RRSIG DNSKEY 13 2 3600 $expiration $inception" - echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1 + if [ "$expect" = "header" ]; then + expected=";; SignedKeyResponse 1.0 $inception" + echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 + next_inception=$(addtime $inception 777600) + expect="ksk" + elif [ "$expect" = "ksk" ]; then + expected="$(cat ${zone}.ksk1)" + echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 + expect="zsk1" + elif [ "$expect" = "zsk1" ]; then + expected="$(cat $key1)" + echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 + expect="rrsig" + [ "$rollover" -eq 1 ] && expect="zsk2" + elif [ "$expect" = "zsk2" ]; then + expected="$(cat $key2)" + echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 + expect="rrsig" + elif [ "$expect" = "rrsig" ]; then + expiration=$(addtime $inception 1209600) # signature-validity 14 days + inception=$(addtime $inception -3600) # adjust for one hour clock skew + expected="${zone}. 3600 IN RRSIG DNSKEY 13 2 3600 $expiration $inception" + echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 - inception=$next_inception - expect="header" + inception=$next_inception + expect="header" - # Update rollover status if required. - if [ "$inception" -ge "$end" ]; then - expect="footer" - elif [ "$inception" -ge "$rollover_done" ]; then - [ "$rollover" -eq 1 ] && inception=$rollover_done - rollover=0 - _update_expected_zsks - elif [ "$inception" -ge "$rollover_start" ]; then - [ "$rollover" -eq 0 ] && inception=$rollover_start - rollover=1 - # Keys will be sorted, so during a rollover a key with a - # lower keytag will be printed first. Update key1/key2 and - # zsk1/zsk2 accordingly. - id1=$(keyfile_to_key_id "$zsk1") - id2=$(keyfile_to_key_id "$zsk2") - if [ $id1 -gt $id2 ]; then - key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}" - key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}" - zsk1=$(cat $key1.id) - zsk2=$(cat $key2.id) - fi - fi - elif [ "$expect" = "footer" ]; then - expected=";; SignedKeyResponse 1.0 generated at" - echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1 + # Update rollover status if required. + if [ "$inception" -ge "$end" ]; then + expect="footer" + elif [ "$inception" -ge "$rollover_done" ]; then + [ "$rollover" -eq 1 ] && inception=$rollover_done + rollover=0 + _update_expected_zsks + elif [ "$inception" -ge "$rollover_start" ]; then + [ "$rollover" -eq 0 ] && inception=$rollover_start + rollover=1 + # Keys will be sorted, so during a rollover a key with a + # lower keytag will be printed first. Update key1/key2 and + # zsk1/zsk2 accordingly. + id1=$(keyfile_to_key_id "$zsk1") + id2=$(keyfile_to_key_id "$zsk2") + if [ $id1 -gt $id2 ]; then + key1="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${next}" + key2="${zone}.${DEFAULT_ALGORITHM_NUMBER}.zsk${zsk}" + zsk1=$(cat $key1.id) + zsk2=$(cat $key2.id) + fi + fi + elif [ "$expect" = "footer" ]; then + expected=";; SignedKeyResponse 1.0 generated at" + echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 - expect="eof" - elif [ "$expect" = "eof" ]; then - expected="EOF" - echo_i "failed: expected EOF" - err=1 - else - echo_i "failed: bad expect value $expect" - err=1 - fi + expect="eof" + elif [ "$expect" = "eof" ]; then + expected="EOF" + echo_i "failed: expected EOF" + err=1 + else + echo_i "failed: bad expect value $expect" + err=1 + fi - echo "$(echo $line | tr -s ' ')" | grep "$expected" > /dev/null || err=1 - if [ "$err" -ne 0 ]; then - echo_i "unexpected data on line $lineno:" - echo_i "line: $(echo $line | tr -s ' ')" - echo_i "expected: $expected" - fi + echo "$(echo $line | tr -s ' ')" | grep "$expected" >/dev/null || err=1 + if [ "$err" -ne 0 ]; then + echo_i "unexpected data on line $lineno:" + echo_i "line: $(echo $line | tr -s ' ')" + echo_i "expected: $expected" + fi - _ret=$((_ret+err)) - done < $file + _ret=$((_ret + err)) + done <$file - return $_ret + return $_ret } zsk1=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) @@ -368,24 +362,24 @@ start=$(cat $zsk1.state | grep "Generated" | awk '{print $2}') end=$(addtime $start 31536000) # one year check_ksr "common.test" "ksr.sign.out.$n" $start $end 2 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Key generation: common (2) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr keygen' pregenerates keys in the given key-directory ($n)" ret=0 -ksr common -e +1y -K keydir keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +ksr common -e +1y -K keydir keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1 num=$(cat ksr.keygen.out.$n | wc -l) [ $num -eq 2 ] || ret=1 set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 check_keys common.test keydir || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr keygen' selects generates only necessary keys for overlapping time bundle ($n)" ret=0 -ksr common -e +2y -v 1 keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +ksr common -e +2y -v 1 keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1 num=$(cat ksr.keygen.out.$n | wc -l) [ $num -eq 4 ] || ret=1 # 2 selected, 2 generated @@ -395,162 +389,162 @@ num=$(grep "Generating" ksr.keygen.out.$n | wc -l) [ $num -eq 2 ] || ret=1 cp ksr.keygen.out.$n ksr.keygen.out.expect test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "run 'dnssec-ksr keygen' again with verbosity 0 ($n)" ret=0 -ksr common -i $now -e +2y keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +ksr common -i $now -e +2y keygen common.test >ksr.keygen.out.$n 2>&1 || ret=1 num=$(cat ksr.keygen.out.$n | wc -l) [ $num -eq 4 ] || ret=1 set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 check_keys common.test "." || ret=1 cp ksr.keygen.out.$n ksr.keygen.out.expect test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Create request: common (2) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr request' creates correct KSR if the interval is shorter ($n)" ret=0 -ksr common -i $now -e +1y request common.test > ksr.request.out.$n 2>&1 || ret=1 +ksr common -i $now -e +1y request common.test >ksr.request.out.$n 2>&1 || ret=1 # Same as earlier. cp ksr.request.expect.base ksr.request.expect.$n -grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1 -cat footer.$n >> ksr.request.expect.$n -diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 +grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1 +cat footer.$n >>ksr.request.expect.$n +diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr request' creates correct KSR with new interval ($n)" ret=0 -ksr common -i $now -e +2y request common.test > ksr.request.out.$n 2>&1 || ret=1 +ksr common -i $now -e +2y request common.test >ksr.request.out.$n 2>&1 || ret=1 cp ksr.request.expect.base ksr.request.expect.$n # Bundle 4: KSK + ZSK2 + ZSK3 key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3.id) inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat common.test.ksk1 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat common.test.ksk1 >>ksr.request.expect.$n print_dnskeys common.test 2 3 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect # Bundle 5: KSK + ZSK3 key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id) inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat common.test.ksk1 >> ksr.request.expect.$n -cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat common.test.ksk1 >>ksr.request.expect.$n +cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3 >>ksr.request.expect.$n # Bundle 6: KSK + ZSK3 + ZSK4 key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4.id) inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat common.test.ksk1 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat common.test.ksk1 >>ksr.request.expect.$n print_dnskeys common.test 3 4 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect # Bundle 7: KSK + ZSK4 key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3.id) inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat common.test.ksk1 >> ksr.request.expect.$n -cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat common.test.ksk1 >>ksr.request.expect.$n +cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4 >>ksr.request.expect.$n # Footer cp ksr.request.expect.$n ksr.request.expect.base -grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1 -cat footer.$n >> ksr.request.expect.$n -diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 +grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1 +cat footer.$n >>ksr.request.expect.$n +diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1 # Save request for ksr sign operation. cp ksr.request.expect.$n ksr.request.expect test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr request' errors if there are not enough keys ($n)" ret=0 -ksr common -i $now -e +3y request common.test > ksr.request.out.$n 2> ksr.request.err.$n && ret=1 -grep "dnssec-ksr: fatal: no common.test/ECDSAP256SHA256 zsk key pair found for bundle" ksr.request.err.$n > /dev/null || ret=1 +ksr common -i $now -e +3y request common.test >ksr.request.out.$n 2>ksr.request.err.$n && ret=1 +grep "dnssec-ksr: fatal: no common.test/ECDSAP256SHA256 zsk key pair found for bundle" ksr.request.err.$n >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Sign request: common (2) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr sign' creates correct SKR with the new interval ($n)" ret=0 -ksr common -i $now -e +2y -K offline -f ksr.request.expect sign common.test > ksr.sign.out.$n 2>&1 || ret=1 +ksr common -i $now -e +2y -K offline -f ksr.request.expect sign common.test >ksr.sign.out.$n 2>&1 || ret=1 start=$(cat $zsk1.state | grep "Generated" | awk '{print $2}') end=$(addtime $start 63072000) # two years check_ksr "common.test" "ksr.sign.out.$n" $start $end 4 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Key generation: csk -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr keygen' creates no keys for policy with csk ($n)" ret=0 -ksr csk -e +2y keygen csk.test > ksr.keygen.out.$n 2>&1 && ret=1 -grep "dnssec-ksr: fatal: policy 'csk' has no zsks" ksr.keygen.out.$n > /dev/null || ret=1 +ksr csk -e +2y keygen csk.test >ksr.keygen.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: policy 'csk' has no zsks" ksr.keygen.out.$n >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Key generation: unlimited -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr keygen' creates only one key for zsk with unlimited lifetime ($n)" ret=0 -ksr unlimited -e +2y keygen unlimited.test > ksr.keygen.out.$n 2>&1 || ret=1 +ksr unlimited -e +2y keygen unlimited.test >ksr.keygen.out.$n 2>&1 || ret=1 num=$(cat ksr.keygen.out.$n | wc -l) [ $num -eq 1 ] || ret=1 key=$(cat ksr.keygen.out.$n) -grep "; Created:" "${key}.key" > created.out || ret=1 -created=$(awk '{print $3}' < created.out) +grep "; Created:" "${key}.key" >created.out || ret=1 +created=$(awk '{print $3}' /dev/null || ret=1 -grep "Length: $DEFAULT_BITS" ${key}.state > /dev/null || ret=1 -grep "Lifetime: 0" ${key}.state > /dev/null || ret=1 -grep "KSK: no" ${key}.state > /dev/null || ret=1 -grep "ZSK: yes" ${key}.state > /dev/null || ret=1 -grep "Published: $published" ${key}.state > /dev/null || ret=1 -grep "Active: $active" ${key}.state > /dev/null || ret=1 -grep "Retired:" ${key}.state > /dev/null && ret=1 -grep "Removed:" ${key}.state > /dev/null && ret=1 -cat ${key}.key | grep -v ";.*" > unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 -echo $key > "unlimited.test.${DEFAULT_ALGORITHM_NUMBER}.zsk1.id" +grep "Algorithm: $DEFAULT_ALGORITHM_NUMBER" ${key}.state >/dev/null || ret=1 +grep "Length: $DEFAULT_BITS" ${key}.state >/dev/null || ret=1 +grep "Lifetime: 0" ${key}.state >/dev/null || ret=1 +grep "KSK: no" ${key}.state >/dev/null || ret=1 +grep "ZSK: yes" ${key}.state >/dev/null || ret=1 +grep "Published: $published" ${key}.state >/dev/null || ret=1 +grep "Active: $active" ${key}.state >/dev/null || ret=1 +grep "Retired:" ${key}.state >/dev/null && ret=1 +grep "Removed:" ${key}.state >/dev/null && ret=1 +cat ${key}.key | grep -v ";.*" >unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 +echo $key >"unlimited.test.${DEFAULT_ALGORITHM_NUMBER}.zsk1.id" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Create request: unlimited -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr request' creates correct KSR with unlimited zsk ($n)" ret=0 -ksr unlimited -i $created -e +4y request unlimited.test > ksr.request.out.$n 2>&1 || ret=1 +ksr unlimited -i $created -e +4y request unlimited.test >ksr.request.out.$n 2>&1 || ret=1 # Only one bundle: KSK + ZSK inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" > ksr.request.expect.$n -cat unlimited.test.ksk1 >> ksr.request.expect.$n -cat unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n +cat unlimited.test.ksk1 >>ksr.request.expect.$n +cat unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n # Footer -grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1 -cat footer.$n >> ksr.request.expect.$n -diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 +grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1 +cat footer.$n >>ksr.request.expect.$n +diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1 # Save request for ksr sign operation. cp ksr.request.expect.$n ksr.request.expect test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Sign request: unlimited -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr sign' creates correct SKR with unlimited zsk ($n)" ret=0 -ksr unlimited -i $created -e +4y -K offline -f ksr.request.expect sign unlimited.test > ksr.sign.out.$n 2>&1 || ret=1 +ksr unlimited -i $created -e +4y -K offline -f ksr.request.expect sign unlimited.test >ksr.sign.out.$n 2>&1 || ret=1 start=$(cat $key.state | grep "Generated" | awk '{print $2}') end=$(addtime $start 126144000) # four years check_ksr "unlimited.test" "ksr.sign.out.$n" $start $end 1 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Key generation: two-tone -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr keygen' creates keys for different algorithms ($n)" ret=0 -ksr two-tone -e +1y keygen two-tone.test > ksr.keygen.out.$n 2>&1 || ret=1 +ksr two-tone -e +1y keygen two-tone.test >ksr.keygen.out.$n 2>&1 || ret=1 # First algorithm keys have a lifetime of 3 months, so there should be 4 created keys. alg=$(printf "%03d" "$DEFAULT_ALGORITHM_NUMBER") num=$(grep "Ktwo-tone.test.+$alg+" ksr.keygen.out.$n | wc -l) @@ -568,16 +562,16 @@ set_zsk $ALTERNATIVE_ALGORITHM_NUMBER $ALTERNATIVE_BITS 13392000 check_keys two-tone.test "." $ALTERNATIVE_ALGORITHM_NUMBER 13392000 || ret=1 cp ksr.keygen.out.$n ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Create request: two-tone -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr request' creates correct KSR with multiple algorithms ($n)" ret=0 key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) -grep "; Created:" "${key}.key" > created.out || ret=1 -created=$(awk '{print $3}' < created.out) -ksr two-tone -i $created -e +6mo request two-tone.test > ksr.request.out.$n 2>&1 || ret=1 +grep "; Created:" "${key}.key" >created.out || ret=1 +created=$(awk '{print $3}' ksr.request.out.$n 2>&1 || ret=1 # The two-tone policy uses two sets of KSK/ZSK with different algorithms. One # set uses the default algorithm (denoted as A below), the other is using the # alternative algorithm (denoted as B). The A-ZSKs roll every three months, @@ -589,58 +583,58 @@ ksr two-tone -i $created -e +6mo request two-tone.test > ksr.request.out.$n 2>&1 # Bundle 1: KSK-A1, KSK-B1, ZSK-A1, ZSK-B1 key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" > ksr.request.expect.$n -cat two-tone.test.ksk1 >> ksr.request.expect.$n -cat two-tone.test.ksk2 >> ksr.request.expect.$n -cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n -cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >ksr.request.expect.$n +cat two-tone.test.ksk1 >>ksr.request.expect.$n +cat two-tone.test.ksk2 >>ksr.request.expect.$n +cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n +cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n # Bundle 2: KSK-A1, KSK-B1, ZSK-A1 + ZSK-A2, ZSK-B1 key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id) inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat two-tone.test.ksk1 >> ksr.request.expect.$n -cat two-tone.test.ksk2 >> ksr.request.expect.$n -print_dnskeys two-tone.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect.$DEFAULT_ALGORITHM_NUMBER >> ksr.request.expect.$n -cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat two-tone.test.ksk1 >>ksr.request.expect.$n +cat two-tone.test.ksk2 >>ksr.request.expect.$n +print_dnskeys two-tone.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect.$DEFAULT_ALGORITHM_NUMBER >>ksr.request.expect.$n +cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n # Bundle 3: KSK-A1, KSK-B1, ZSK-A2, ZSK-B1 key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat two-tone.test.ksk1 >> ksr.request.expect.$n -cat two-tone.test.ksk2 >> ksr.request.expect.$n -cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n -cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat two-tone.test.ksk1 >>ksr.request.expect.$n +cat two-tone.test.ksk2 >>ksr.request.expect.$n +cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n +cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >>ksr.request.expect.$n # Bundle 4: KSK-A1, KSK-B1, ZSK-A2, ZSK-B1 + ZSK-B2 key=$(cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2.id) inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat two-tone.test.ksk1 >> ksr.request.expect.$n -cat two-tone.test.ksk2 >> ksr.request.expect.$n -cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n -print_dnskeys two-tone.test 1 2 $ALTERNATIVE_ALGORITHM_NUMBER ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat two-tone.test.ksk1 >>ksr.request.expect.$n +cat two-tone.test.ksk2 >>ksr.request.expect.$n +cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n +print_dnskeys two-tone.test 1 2 $ALTERNATIVE_ALGORITHM_NUMBER ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER >>ksr.request.expect.$n # Bundle 5: KSK-A1, KSK-B1, ZSK-A2, ZSK-B2 key=$(cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1.id) inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) -echo ";; KeySigningRequest 1.0 $inception" >> ksr.request.expect.$n -cat two-tone.test.ksk1 >> ksr.request.expect.$n -cat two-tone.test.ksk2 >> ksr.request.expect.$n -cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n -cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n +echo ";; KeySigningRequest 1.0 $inception" >>ksr.request.expect.$n +cat two-tone.test.ksk1 >>ksr.request.expect.$n +cat two-tone.test.ksk2 >>ksr.request.expect.$n +cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n +cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2 >>ksr.request.expect.$n # Footer -grep ";; KeySigningRequest generated at" ksr.request.out.$n > footer.$n || ret=1 -cat footer.$n >> ksr.request.expect.$n +grep ";; KeySigningRequest generated at" ksr.request.out.$n >footer.$n || ret=1 +cat footer.$n >>ksr.request.expect.$n # Check the KSR request against the expected request. -diff -w ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 +diff -w ksr.request.out.$n ksr.request.expect.$n >/dev/null || ret=1 # Save request for ksr sign operation. cp ksr.request.expect.$n ksr.request.expect test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Sign request: two-tone -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-ksr sign' creates correct SKR with multiple algorithms ($n)" ret=0 -ksr two-tone -i $created -e +6mo -K offline -f ksr.request.expect sign two-tone.test > ksr.sign.out.$n 2>&1 || ret=1 +ksr two-tone -i $created -e +6mo -K offline -f ksr.request.expect sign two-tone.test >ksr.sign.out.$n 2>&1 || ret=1 # Weak testing: zone="two-tone.test" # expect 24 headers (including the footer) @@ -663,7 +657,7 @@ lines=$(grep "DNSKEY.*256 3 13" ksr.sign.out.$n | wc -l) test "$lines" -eq 25 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1