From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 15 Mar 2022 15:10:34 +0000 (+0100)
Subject: Test dnssec-policy with multiple key stores
X-Git-Tag: v9.19.22~70^2~19
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4b5bba3a992b832aa5b59e9eee75903c95c306ed;p=thirdparty%2Fbind9.git

Test dnssec-policy with multiple key stores

Make sure that if a dnssec-policy uses multiple key stores, the keys
have the right attributes and are stored in their appropriate directory.
---

diff --git a/bin/tests/system/enginepkcs11/clean.sh b/bin/tests/system/enginepkcs11/clean.sh
index 7233784a029..c8b3c79d0db 100644
--- a/bin/tests/system/enginepkcs11/clean.sh
+++ b/bin/tests/system/enginepkcs11/clean.sh
@@ -23,6 +23,7 @@ rm -f pkcs11-tool.err.* pkcs11-tool.out.*
 rm -f signer.out.*
 rm -f ns1/*.example.db ns1/*.example.db.signed
 rm -f ns1/*.kasp.db ns1/*.kasp.db.signed
+rm -f ns1/*.split.db ns1/*.split.db.signed
 rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2
 rm -f ns1/dig.out.*
 rm -f ns1/K*
@@ -33,5 +34,6 @@ rm -f ns1/update.cmd.*
 rm -f ns1/update.log.*
 rm -f ns1/verify.out.*
 rm -f ns1/zone.*.jnl ns1/zone.*.jbk
+rm -rf ./ns1/keys/
 
 OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || echo_i "softhsm2-enginepkcs11 token not found for cleaning"
diff --git a/bin/tests/system/enginepkcs11/setup.sh b/bin/tests/system/enginepkcs11/setup.sh
index 59db1246648..54bd9568202 100644
--- a/bin/tests/system/enginepkcs11/setup.sh
+++ b/bin/tests/system/enginepkcs11/setup.sh
@@ -25,6 +25,8 @@ PWD=$(pwd)
 copy_setports ns1/named.conf.in ns1/named.conf
 sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns1/named.args.in >ns1/named.args
 
+mkdir ns1/keys
+
 keygen() {
   type="$1"
   bits="$2"
@@ -115,6 +117,9 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
     echo_i "Add zone $alg.kasp to named.conf"
     cp $infile ${dir}/zone.${alg}.kasp.db
 
+    echo_i "Add zone $alg.split to named.conf"
+    cp $infile ${dir}/zone.${alg}.split.db
+
     echo_i "Add zone $zone to named.conf"
     cat >>"${dir}/named.conf" <<EOF
 zone "$zone" {
@@ -137,6 +142,20 @@ zone "${alg}.kasp" {
 	allow-update { any; };
 };
 
+dnssec-policy "${alg}-split" {
+	keys {
+		ksk key-store "hsm" lifetime unlimited algorithm ${alg};
+		zsk key-store "disk" lifetime unlimited algorithm ${alg};
+	};
+};
+
+zone "${alg}.split" {
+	type primary;
+	file "zone.${alg}.split.db";
+	dnssec-policy "${alg}-split";
+	allow-update { any; };
+};
+
 EOF
   fi
 done
diff --git a/bin/tests/system/enginepkcs11/tests.sh b/bin/tests/system/enginepkcs11/tests.sh
index 2df9bd8d8f6..48b349e3929 100644
--- a/bin/tests/system/enginepkcs11/tests.sh
+++ b/bin/tests/system/enginepkcs11/tests.sh
@@ -176,11 +176,12 @@ EOF
   status=$((status + ret))
 
   # Check dnssec-policy interaction.
-  zone="${alg}.kasp"
 
   # Basic checks if setup was successful (dnssec-policy).
+  zone="${alg}.kasp"
   n=$((n + 1))
   ret=0
+  ret=0
   echo_i "Test key generation was successful for $zone ($n)"
   check_keys $zone 2 || ret=1
   status=$((status + ret))
@@ -209,11 +210,27 @@ EOF
   }
   retry_quiet 2 _dig_policy_soa || ret=1
   test "$ret" -eq 0 || echo_i "failed (expected a SOA RRSIG record)"
+
+  # Check a dnssec-policy that uses multiple key-stores.
+  zone="${alg}.split"
+  echo_i "Test key generation was successful for $zone ($n)"
+  # Check KSK.
+  check_keys $zone 1 || ret=1
+  # Check ZSK.
+  count=$(ls keys/K*.key | grep "K${_zone}" | wc -l)
+  test "$count" -eq 1 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (expected 1 key, got $count)"
+  status=$((status + ret))
+  ret=0
+  count=$(cat keys/K${zone}*.private | grep Engine | wc -l)
+  test "$count" -eq 0 || ret=1
+  count=$(cat keys/K${zone}*.private | grep Label | wc -l)
+  test "$count" -eq 0 || ret=1
+  test "$ret" -eq 0 || echo_i "failed (unexpected Engine and Label in key files)"
   status=$((status + ret))
 
   # Check dnssec-keygen with dnssec-policy and key-store.
   zone="${alg}.keygen"
-
   n=$((n + 1))
   ret=0
   echo_i "Test dnssec-keygen for $zone ($n)"