From 908bf753f9c684bd63aaf47e55b3faca587efd6b Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 22 May 2024 11:19:20 +0200
Subject: [PATCH] Test rndc skr import

Test importing a Signed Key Response. Files should be loaded and once
loaded the correct bundle should be used. Alsoe test cases where the
bundle is not the first bundle in the SKR.

(cherry picked from commit afe093258c279cd6b47a1d98657bc4e6f76e1875)
---
 bin/tests/system/ksr/ns1/setup.sh |   8 +
 bin/tests/system/ksr/tests.sh     | 414 ++++++++++++++++++++++++++++++
 2 files changed, 422 insertions(+)

diff --git a/bin/tests/system/ksr/ns1/setup.sh b/bin/tests/system/ksr/ns1/setup.sh
index ee3a8b738b..c17c43de2e 100644
--- a/bin/tests/system/ksr/ns1/setup.sh
+++ b/bin/tests/system/ksr/ns1/setup.sh
@@ -20,6 +20,10 @@ mkdir offline
 
 # Zone files
 cp template.db.in common.test.db
+cp template.db.in past.test.db
+cp template.db.in future.test.db
+cp template.db.in last-bundle.test.db
+cp template.db.in in-the-middle.test.db
 
 # Create KSK for the various policies.
 create_ksk() {
@@ -35,5 +39,9 @@ create_ksk() {
   done
 }
 create_ksk common.test common
+create_ksk past.test common
+create_ksk future.test common
+create_ksk last-bundle.test common
+create_ksk in-the-middle.test common
 create_ksk unlimited.test unlimited
 create_ksk two-tone.test two-tone
diff --git a/bin/tests/system/ksr/tests.sh b/bin/tests/system/ksr/tests.sh
index a8c8068095..4fb9f9fac5 100644
--- a/bin/tests/system/ksr/tests.sh
+++ b/bin/tests/system/ksr/tests.sh
@@ -544,6 +544,420 @@ ksr common -K ns1 -i $now -e +2y -K ns1/offline -f ksr.request.expect sign commo
 start=$(cat ns1/$zsk1.state | grep "Generated" | awk '{print $2}')
 end=$(addtime $start 63072000) # two years
 check_skr "common.test" "ns1/offline" "ksr.sign.out.$n" $start $end 4 || ret=1
+# Save response for skr import operation.
+cp ksr.sign.out.$n ns1/common.test.skr
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Add zone: common
+n=$((n + 1))
+echo_i "add zone 'common.test' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 addzone 'common.test { type primary; file "common.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Import skr: common
+n=$((n + 1))
+echo_i "import ksr to zone 'common.test' ($n)"
+ret=0
+sleep 2
+$RNDCCMD 10.53.0.1 skr -import common.test.skr common.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Test that common.test is signed and uses the right DNSKEY and RRSIG records.
+n=$((n + 1))
+echo_i "test zone 'common.test' is correctly signed ($n)"
+ret=0
+
+set_zone "common.test"
+set_policy "common" "4" "3600"
+set_server "ns1" "10.53.0.1"
+# Only ZSKs
+set_keyrole "KEY1" "zsk"
+set_keylifetime "KEY1" "16070400"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY1" "no"
+set_zonesigning "KEY1" "yes"
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "16070400"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY2" "STATE_DNSKEY" "hidden"
+set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
+
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "16070400"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no"
+set_keystate "KEY3" "GOAL" "hidden"
+set_keystate "KEY3" "STATE_DNSKEY" "hidden"
+set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
+
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "16070400"
+set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "no"
+set_keystate "KEY4" "GOAL" "hidden"
+set_keystate "KEY4" "STATE_DNSKEY" "hidden"
+set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
+
+MAXDEPTH=1
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_subdomain
+dnssec_verify
+
+# For checking the apex, we need to store the expected KSK metadata.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_policy "common" "1" "3600"
+set_server "ns1/offline" "10.53.0.1"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
+check_keys "keep"
+
+DIR="ns1"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
+check_apex
+
+# Check that key id's match expected keys
+n=$((n + 1))
+zsk1=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
+key1=$(key_get "KEY1" BASEFILE)
+echo_i "check that published zsk $zsk1 matches first key $key1 in bundle ($n)"
+ret=0
+[ "ns1/$zsk1" = "$key1" ] || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+ksk=$(cat common.test.ksk1.id)
+key2=$(key_get "KEY2" BASEFILE)
+echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
+ret=0
+[ "ns1/offline/$ksk" = "$key2" ] || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Key generation: last-bundle
+n=$((n + 1))
+echo_i "generate keys for testing an SKR that is in the last bundle ($n)"
+ret=0
+ksr common -K ns1 -i -1y -e +1d keygen last-bundle.test >ksr.keygen.out.$n 2>&1 || ret=1
+num=$(cat ksr.keygen.out.$n | wc -l)
+[ $num -eq 2 ] || ret=1
+set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
+ksr_check_keys last-bundle.test ns1 -31536000 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+# Create request: last-bundle
+n=$((n + 1))
+echo_i "create ksr for last bundle test ($n)"
+ret=0
+ksr common -K ns1 -i -1y -e +1d request last-bundle.test >ksr.request.out.$n 2>&1 || ret=1
+cp ksr.request.out.$n last-bundle.test.ksr
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+# Sign request: last-bundle
+n=$((n + 1))
+echo_i "create skr for last bundle test ($n)"
+ret=0
+ksr common -i -1y -e +1d -K ns1/offline -f last-bundle.test.ksr sign last-bundle.test >ksr.sign.out.$n 2>&1 || ret=1
+cp ksr.sign.out.$n ns1/last-bundle.test.skr
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+# Add zone: last-bundle
+n=$((n + 1))
+echo_i "add zone 'last-bundle.test' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 addzone 'last-bundle.test { type primary; file "last-bundle.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+# Import skr: last-bundle
+n=$((n + 1))
+echo_i "import ksr to zone 'last-bundle.test' ($n)"
+ret=0
+sleep 2
+$RNDCCMD 10.53.0.1 skr -import last-bundle.test.skr last-bundle.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Test that last-bundle.test is signed and uses the right DNSKEY and RRSIG records.
+n=$((n + 1))
+echo_i "test zone 'last-bundle.test' is correctly signed ($n)"
+ret=0
+
+set_zone "last-bundle.test"
+set_policy "common" "2" "3600"
+set_server "ns1" "10.53.0.1"
+# Only ZSKs
+key_clear "KEY1"
+set_keyrole "KEY1" "zsk"
+set_keylifetime "KEY1" "16070400"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY1" "no"
+set_zonesigning "KEY1" "yes"
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "16070400"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY2" "STATE_DNSKEY" "hidden"
+set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
+
+MAXDEPTH=1
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_subdomain
+dnssec_verify
+
+# For checking the apex, we need to store the expected KSK metadata.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_policy "common" "1" "3600"
+set_server "ns1/offline" "10.53.0.1"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
+check_keys "keep"
+
+DIR="ns1"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
+check_apex
+
+# Check that key id's match expected keys
+n=$((n + 1))
+zsk2=$(cat last-bundle.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
+key1=$(key_get "KEY1" BASEFILE)
+echo_i "check that published zsk $zsk2 matches first key $key1 in bundle ($n)"
+ret=0
+[ "ns1/$zsk2" = "$key1" ] || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+ksk=$(cat last-bundle.test.ksk1.id)
+key2=$(key_get "KEY2" BASEFILE)
+echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
+ret=0
+[ "ns1/offline/$ksk" = "$key2" ] || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that last bundle warning is logged ($n)"
+wait_for_log 3 "zone last-bundle.test/IN (signed): zone_rekey: last bundle in skr, please import new skr file" ns1/named.run || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Key generation: in-the-middle
+n=$((n + 1))
+echo_i "generate keys for testing an SKR that is in the middle ($n)"
+ret=0
+ksr common -K ns1 -i -1y -e +1y keygen in-the-middle.test >ksr.keygen.out.$n 2>&1 || ret=1
+num=$(cat ksr.keygen.out.$n | wc -l)
+[ $num -eq 4 ] || ret=1
+set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
+ksr_check_keys in-the-middle.test ns1 -31536000 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+# Create request: in-the-middle
+n=$((n + 1))
+echo_i "create ksr for in the middle test ($n)"
+ret=0
+ksr common -K ns1 -i -1y -e +1y request in-the-middle.test >ksr.request.out.$n 2>&1 || ret=1
+cp ksr.request.out.$n in-the-middle.test.ksr
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+# Sign request: in-the-middle
+n=$((n + 1))
+echo_i "create skr for in the middle test ($n)"
+ret=0
+ksr common -i -1y -e +1y -K ns1/offline -f in-the-middle.test.ksr sign in-the-middle.test >ksr.sign.out.$n 2>&1 || ret=1
+cp ksr.sign.out.$n ns1/in-the-middle.test.skr
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+# Add zone: in-the-middle
+n=$((n + 1))
+echo_i "add zone 'in-the-middle.test' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 addzone 'in-the-middle.test { type primary; file "in-the-middle.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+# Import skr: in-the-middle
+n=$((n + 1))
+echo_i "import ksr to zone 'in-the-middle.test' ($n)"
+ret=0
+sleep 2
+$RNDCCMD 10.53.0.1 skr -import in-the-middle.test.skr in-the-middle.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Test that in-the-middle.test is signed and uses the right DNSKEY and RRSIG records.
+n=$((n + 1))
+echo_i "test zone 'in-the-middle.test' is correctly signed ($n)"
+ret=0
+
+set_zone "in-the-middle.test"
+set_policy "common" "4" "3600"
+set_server "ns1" "10.53.0.1"
+# Only ZSKs
+key_clear "KEY1"
+set_keyrole "KEY1" "zsk"
+set_keylifetime "KEY1" "16070400"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY1" "no"
+set_zonesigning "KEY1" "yes"
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "16070400"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY2" "STATE_DNSKEY" "hidden"
+set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
+
+key_clear "KEY3"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "16070400"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no"
+set_keystate "KEY3" "GOAL" "hidden"
+set_keystate "KEY3" "STATE_DNSKEY" "hidden"
+set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
+
+key_clear "KEY4"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "16070400"
+set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "no"
+set_keystate "KEY4" "GOAL" "hidden"
+set_keystate "KEY4" "STATE_DNSKEY" "hidden"
+set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
+
+MAXDEPTH=1
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_subdomain
+dnssec_verify
+
+# For checking the apex, we need to store the expected KSK metadata.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_policy "common" "1" "3600"
+set_server "ns1/offline" "10.53.0.1"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
+check_keys "keep"
+
+DIR="ns1"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
+check_apex
+
+# Check that key id's match expected keys
+n=$((n + 1))
+zsk2=$(cat in-the-middle.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
+key1=$(key_get "KEY1" BASEFILE)
+echo_i "check that published zsk $zsk2 matches first key $key1 in bundle ($n)"
+ret=0
+[ "ns1/$zsk2" = "$key1" ] || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+ksk=$(cat in-the-middle.test.ksk1.id)
+key2=$(key_get "KEY2" BASEFILE)
+echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
+ret=0
+[ "ns1/offline/$ksk" = "$key2" ] || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that no last bundle warning is logged ($n)"
+grep "zone $zone/IN (signed): zone_rekey failure: no available SKR bundle" ns1/named.run && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Test error conditions
+check_rekey_logs_error() {
+  zone=$1
+  inc=$2
+  exp=$3
+  offset=$4
+
+  # Key generation
+  ksr common -K ns1 -i $inc -e $exp keygen $zone >ksr.keygen.out.$n 2>&1 || return 1
+  num=$(cat ksr.keygen.out.$n | wc -l)
+  [ $num -eq 2 ] || return 1
+  set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
+  ksr_check_keys $zone ns1 $offset || return 1
+  # Create request
+  ksr common -K ns1 -i $inc -e $exp request $zone >ksr.request.out.$n 2>&1 || return 1
+  cp ksr.request.out.$n $zone.ksr
+  # Sign request
+  ksr common -K ns1/offline -i $inc -e $exp -f $zone.ksr sign $zone >ksr.sign.out.$n 2>&1 || return 1
+  cp ksr.sign.out.$n ns1/$zone.skr
+  # Import skr
+  $RNDCCMD 10.53.0.1 skr -import $zone.skr $zone 2>&1 | sed 's/^/I:ns1 /' || return 1
+  # Test that rekey logs error
+  wait_for_log 3 "zone $zone/IN (signed): zone_rekey failure: no available SKR bundle" ns1/named.run || return 1
+}
+
+n=$((n + 1))
+echo_i "check that an SKR that is too old logs error ($n)"
+$RNDCCMD 10.53.0.1 addzone 'past.test { type primary; file "past.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
+check_rekey_logs_error "past.test" -2y -1y -63072000 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that an SKR that is too new logs error ($n)"
+$RNDCCMD 10.53.0.1 addzone 'future.test { type primary; file "future.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
+check_rekey_logs_error "future.test" +1mo +1y 2592000 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))