From: Mark Andrews <marka@isc.org>
Date: Tue, 16 May 2023 00:15:00 +0000 (+1000)
Subject: Let RSASHA1 signing keys be ignored in FIPS mode
X-Git-Tag: v9.19.14~43^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d360d8af8fd8baf9bf5d313567ed21042f9d420f;p=thirdparty%2Fbind9.git

Let RSASHA1 signing keys be ignored in FIPS mode

When the FIPS provider is available, RSASHA1 signing keys for zone
"example.com." are ignored if the zone is attempted to be signed with
the dnssec-signzone "-F" (FIPS mode) option:

    "fatal: No signing keys specified or found"
---

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 224de5e0f37..8f5f68a0198 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1456,7 +1456,8 @@ else
 	cd signer/general || exit 1
 	rm -f signed.zone
 	$SIGNER -F -f signed.zone -o example.com. test11.zone > signer.out.$n 2>&1 && exit 1
-	grep "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null
+	grep -F -e "fatal: No signing keys specified or found" \
+	        -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null
     ) || ret=1
 fi
 n=$((n+1))
@@ -3588,7 +3589,7 @@ then
     echo_i "skipped: RSASHA1 is not supported"
 else
     $KEYGEN -F -a rsasha1 example.fips 2> keygen.err$n || true
-    grep "unsupported algorithm: RSASHA1" "keygen.err$n" > /dev/null || ret=1
+    grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" > /dev/null || ret=1
 fi
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
@@ -3607,7 +3608,7 @@ then
     echo_i "skipped: RSASHA1 is not supported"
 else
     $KEYGEN -F -a nsec3rsasha1 example.fips 2> keygen.err$n || true
-    grep "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" > /dev/null || ret=1
+    grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" > /dev/null || ret=1
 fi
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"