]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3509419)
Let RSASHA1 signing keys be ignored in FIPS mode
authorMark Andrews <marka@isc.org>
Tue, 16 May 2023 00:15:00 +0000 (10:15 +1000)
committerMark Andrews <marka@isc.org>
Wed, 17 May 2023 23:51:39 +0000 (23:51 +0000)
When the FIPS provider is available, RSASHA1 signing keys for zone
"example.com." are ignored if the zone is attempted to be signed with
the dnssec-signzone "-F" (FIPS mode) option:

    "fatal: No signing keys specified or found"

bin/tests/system/dnssec/tests.sh patch | blob | blame | history

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 224de5e0f37089be595e552a408401c6c02dc2ea..8f5f68a01981c79c70a4f83906b99c29f65ebdb6 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1456,7 +1456,8 @@ else
        cd signer/general || exit 1
        rm -f signed.zone
        $SIGNER -F -f signed.zone -o example.com. test11.zone > signer.out.$n 2>&1 && exit 1
-       grep "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null
+       grep -F -e "fatal: No signing keys specified or found" \
+               -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null
     ) || ret=1
 fi
 n=$((n+1))
@@ -3588,7 +3589,7 @@ then
     echo_i "skipped: RSASHA1 is not supported"
 else
     $KEYGEN -F -a rsasha1 example.fips 2> keygen.err$n || true
-    grep "unsupported algorithm: RSASHA1" "keygen.err$n" > /dev/null || ret=1
+    grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" > /dev/null || ret=1
 fi
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
@@ -3607,7 +3608,7 @@ then
     echo_i "skipped: RSASHA1 is not supported"
 else
     $KEYGEN -F -a nsec3rsasha1 example.fips 2> keygen.err$n || true
-    grep "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" > /dev/null || ret=1
+    grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" > /dev/null || ret=1
 fi
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
Mirror of https://gitlab.isc.org/isc-projects/bind9.git