Fix key ID extraction in the "dnssec" system test

Simply looking for the key ID surrounded by spaces in the tested dnssec-signzone output file is not a precise enough method of checking for signatures prepared using a given key ID: it can be tripped up by cross-algorithm key ID collisions and certain low key IDs (e.g. 60, the TTL specified in bin/tests/system/dnssec/signer/example.db.in), which triggers false positives for the "dnssec" system test. Make key ID extraction precise by using an awk script which operates on specific fields.
2019-03-20 22:21:30 +01:00
parent a17aff7421
commit a40c60e4c1
1 changed files with 21 additions and 8 deletions
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1440,6 +1440,19 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))

+get_rsasha1_key_ids_from_sigs() {
+	awk '
+		NF < 8 { next }
+		$(NF-5) != "RRSIG" { next }
+		$(NF-3) != "5" { next }
+		$NF != "(" { next }
+		{
+			getline;
+			print $3;
+		}
+	' signer/example.db.signed | sort -u
+}
+
 echo_i "checking that we can sign a zone with out-of-zone records ($n)"
 ret=0
 zone=example
@@ -1540,8 +1553,8 @@ cat example.db.in "$key1.key" "$key3.key" > example.db
 echo "\$INCLUDE \"example.db.signed\"" >> example.db
 $SIGNER -D -o example example.db > /dev/null 2>&1
 ) || ret=1
-grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1
-grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
+get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1
+get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
@@ -1552,8 +1565,8 @@ ret=0
 cd signer || exit 1
 $SIGNER -RD -o example example.db > /dev/null 2>&1
 ) || ret=1
-grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1
-grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
+get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1
+get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
@@ -1570,8 +1583,8 @@ echo "\$INCLUDE \"example.db.signed\"" >> example.db
 $SETTIME -I now "$key2" > /dev/null 2>&1
 $SIGNER -SD -o example example.db > /dev/null 2>&1
 ) || ret=1
-grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1
-grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
+get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1
+get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
@@ -1582,8 +1595,8 @@ ret=0
 cd signer || exit 1
 $SIGNER -SDQ -o example example.db > /dev/null 2>&1
 ) || ret=1
-grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1
-grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
+get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1
+get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))