From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 31 Oct 2024 10:25:23 +0000 (+0100)
Subject: Match algorithms when checking signatures
X-Git-Tag: v9.21.3~50^2
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=795fcc9f803068de8c5dbdbcbba69bbd0545b8be;p=thirdparty%2Fbind9.git

Match algorithms when checking signatures

In the ksr system test, the test_ksr_twotone case may fail if there
are two keys with the same keytag (but different algorithms), because
one key is expected to be signing and the other is not.

Switch to regular expression matching and include the algorithm in the
search string.
---

diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py
index 223dc33be16..7dd2c1d5020 100644
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -345,37 +345,41 @@ def _check_signatures(signatures, covers, fqdn, keys):
         active = now >= activate
         retired = inactive is not None and inactive <= now
         signing = active and not retired
+        alg = key.get_metadata("Algorithm")
+        rtype = dns.rdatatype.to_text(covers)
+
+        expect = rf"IN RRSIG {rtype} {alg} (\d) (\d+) (\d+) (\d+) {key.tag} {fqdn}"
 
         if not signing:
             for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None
             continue
 
         if zrrsig and key.is_zsk():
             has_rrsig = False
             for rrsig in signatures:
-                if f" {key.tag} {fqdn}" in rrsig:
+                if re.search(expect, rrsig) is not None:
                     has_rrsig = True
                     break
-            assert has_rrsig
+            assert has_rrsig, f"Expected signature but not found: {expect}"
             numsigs += 1
 
         if zrrsig and not key.is_zsk():
             for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None
 
         if krrsig and key.is_ksk():
             has_rrsig = False
             for rrsig in signatures:
-                if f" {key.tag} {fqdn}" in rrsig:
+                if re.search(expect, rrsig) is not None:
                     has_rrsig = True
                     break
-            assert has_rrsig
+            assert has_rrsig, f"Expected signature but not found: {expect}"
             numsigs += 1
 
         if krrsig and not key.is_ksk():
             for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None
 
     return numsigs