search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove building with NOCRYPTO option
[minix.git] / external / bsd / bind / dist / bin / tests / system / smartsign / tests.sh
blobff5aeb9871b6f3fea4e0c2ab95e679597a48b917
1 #!/bin/sh
2 #
3 # Copyright (C) 2010-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
4 #
5 # Permission to use, copy, modify, and/or distribute this software for any
6 # purpose with or without fee is hereby granted, provided that the above
7 # copyright notice and this permission notice appear in all copies.
8 #
9 # THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 # AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 # PERFORMANCE OF THIS SOFTWARE.
16
17 # Id: tests.sh,v 1.21 2012/02/09 23:47:18 tbox Exp
18
19 SYSTEMTESTTOP=..
20 . $SYSTEMTESTTOP/conf.sh
21
22 status=0
23
24 pzone=parent.nil
25 pfile=parent.db
26
27 czone=child.parent.nil
28 cfile=child.db
29
30 echo "I:generating child's keys"
31 # active zsk
32 czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone`
33
34 # not yet published or active
35 czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
36
37 # published but not active
38 czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
39
40 # inactive
41 czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
42
43 # active in 12 hours, inactive 12 hours after that...
44 czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
45
46 # explicit successor to czk5
47 # (suppressing warning about lack of removal date)
48 czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-`
49
50 # active ksk
51 cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone`
52
53 # published but not YET active; will be active in 20 seconds
54 cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
55 # $SETTIME moved after other $KEYGENs
56
57 echo I:revoking key
58 # revoking key changes its ID
59 cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
60 cksk4=`$REVOKE $cksk3`
61
62 echo I:generating parent keys
63 pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
64 pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
65
66 echo "I:setting child's activation time"
67 # using now+30s to fix RT 24561
68 $SETTIME -A now+30s $cksk2 > /dev/null
69
70 echo I:signing child zone
71 czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
72
73 echo I:signing parent zone
74 pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
75
76 czactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
77 czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
78 czpublished=`echo $czsk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
79 czinactive=`echo $czsk4 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
80 czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
81 czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
82 ckactive=`echo $cksk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
83 ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
84 ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
85 ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)$/\1/'`
86
87 pzid=`echo $pzsk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
88 pkid=`echo $pksk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
89
90 echo "I:checking dnssec-signzone output matches expectations"
91 ret=0
92 echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
93 echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
94 echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
95 echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
96 if [ $ret != 0 ]; then
97 echo "I: parent $pzoneout"
98 echo "I: child $czoneout"
99 echo "I:failed";
100 fi
101 status=`expr $status + $ret`
102
103 echo "I:rechecking dnssec-signzone output with -x"
104 ret=0
105 # use an alternate output file so -x doesn't interfere with later checks
106 pzoneout=`$SIGNER -Sxg -r $RANDFILE -o $pzone -f ${pfile}2.signed $pfile 2>&1`
107 czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -r $RANDFILE -o $czone -f ${cfile}2.signed $cfile 2>&1`
108 echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
109 echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1
110 echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
111 echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1
112 if [ $ret != 0 ]; then
113 echo "I: parent $pzoneout"
114 echo "I: child $czoneout"
115 echo "I:failed";
116 fi
117 status=`expr $status + $ret`
118
119 echo "I:checking parent zone DNSKEY set"
120 ret=0
121 grep "key id = $pzid" $pfile.signed > /dev/null || {
122 ret=1
123 echo "I: missing expected parent ZSK id = $pzid"
124 }
125 grep "key id = $pkid" $pfile.signed > /dev/null || {
126 ret=1
127 echo "I: missing expected parent KSK id = $pkid"
128 }
129 if [ $ret != 0 ]; then echo "I:failed"; fi
130 status=`expr $status + $ret`
131
132 echo "I:checking parent zone DS records"
133 ret=0
134 awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
135 grep -w "$ckactive" dsset.out > /dev/null || ret=1
136 grep -w "$ckpublished" dsset.out > /dev/null || ret=1
137 # revoked key should not be there, hence the &&
138 grep -w "$ckprerevoke" dsset.out > /dev/null && ret=1
139 grep -w "$ckrevoked" dsset.out > /dev/null && ret=1
140 if [ $ret != 0 ]; then echo "I:failed"; fi
141 status=`expr $status + $ret`
142
143 echo "I:checking child zone DNSKEY set"
144 ret=0
145 grep "key id = $ckactive" $cfile.signed > /dev/null || {
146 ret=1
147 echo "I: missing expected child KSK id = $ckactive"
148 }
149 grep "key id = $ckpublished" $cfile.signed > /dev/null || {
150 ret=1
151 echo "I: missing expected child prepublished KSK id = $ckpublished"
152 }
153 grep "key id = $ckrevoked" $cfile.signed > /dev/null || {
154 ret=1
155 echo "I: missing expected child revoked KSK id = $ckrevoked"
156 }
157 grep "key id = $czactive" $cfile.signed > /dev/null || {
158 ret=1
159 echo "I: missing expected child ZSK id = $czactive"
160 }
161 grep "key id = $czpublished" $cfile.signed > /dev/null || {
162 ret=1
163 echo "I: missing expected child prepublished ZSK id = $czpublished"
164 }
165 grep "key id = $czinactive" $cfile.signed > /dev/null || {
166 ret=1
167 echo "I: missing expected child inactive ZSK id = $czinactive"
168 }
169 # should not be there, hence the &&
170 grep "key id = $ckprerevoke" $cfile.signed > /dev/null && {
171 ret=1
172 echo "I: found unexpect child pre-revoke ZSK id = $ckprerevoke"
173 }
174 grep "key id = $czgenerated" $cfile.signed > /dev/null && {
175 ret=1
176 echo "I: found unexpected child generated ZSK id = $czgenerated"
177 }
178 grep "key id = $czpredecessor" $cfile.signed > /dev/null && {
179 echo "I: found unexpected ZSK predecessor id = $czpredecessor (ignored)"
180 }
181 grep "key id = $czsuccessor" $cfile.signed > /dev/null && {
182 echo "I: found unexpected ZSK successor id = $czsuccessor (ignored)"
183 }
184 #grep "key id = $czpredecessor" $cfile.signed > /dev/null && ret=1
185 #grep "key id = $czsuccessor" $cfile.signed > /dev/null && ret=1
186 if [ $ret != 0 ]; then echo "I:failed"; fi
187 status=`expr $status + $ret`
188
189 echo "I:checking key TTLs are correct"
190 grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1
191 grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1
192 grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
193 $SETTIME -L 45 ${czsk2} > /dev/null
194 grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
195 $SETTIME -L 0 ${czsk2} > /dev/null
196 grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
197 if [ $ret != 0 ]; then echo "I:failed"; fi
198 status=`expr $status + $ret`
199
200 echo "I:checking key TTLs were imported correctly"
201 awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \
202 ${cfile}.signed || ret=1
203 if [ $ret != 0 ]; then echo "I:failed"; fi
204 status=`expr $status + $ret`
205
206 echo "I:re-signing and checking imported TTLs again"
207 $SETTIME -L 15 ${czsk2} > /dev/null
208 czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
209 awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
210 ${cfile}.signed || ret=1
211 if [ $ret != 0 ]; then echo "I:failed"; fi
212 status=`expr $status + $ret`
213
214 # There is some weirdness in Solaris 10 (Generic_120011-14), which
215 # is why the next section has all those echo $ret > /dev/null;sync
216 # commands
217 echo "I:checking child zone signatures"
218 ret=0
219 # check DNSKEY signatures first
220 awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
221 sub=0
222 grep -w "$ckactive" dnskey.sigs > /dev/null || sub=1
223 if [ $sub != 0 ]; then echo "I:missing ckactive $ckactive (dnskey)"; ret=1; fi
224 echo $ret > /dev/null
225 sync
226 sub=0
227 grep -w "$ckrevoked" dnskey.sigs > /dev/null || sub=1
228 if [ $sub != 0 ]; then echo "I:missing ckrevoke $ckrevoke (dnskey)"; ret=1; fi
229 echo $ret > /dev/null
230 sync
231 sub=0
232 grep -w "$czactive" dnskey.sigs > /dev/null || sub=1
233 if [ $sub != 0 ]; then echo "I:missing czactive $czactive (dnskey)"; ret=1; fi
234 # should not be there:
235 echo $ret > /dev/null
236 sync
237 sub=0
238 grep -w "$ckprerevoke" dnskey.sigs > /dev/null && sub=1
239 if [ $sub != 0 ]; then echo "I:found ckprerevoke $ckprerevoke (dnskey)"; ret=1; fi
240 echo $ret > /dev/null
241 sync
242 sub=0
243 grep -w "$ckpublished" dnskey.sigs > /dev/null && sub=1
244 if [ $sub != 0 ]; then echo "I:found ckpublished $ckpublished (dnskey)"; ret=1; fi
245 echo $ret > /dev/null
246 sync
247 sub=0
248 grep -w "$czpublished" dnskey.sigs > /dev/null && sub=1
249 if [ $sub != 0 ]; then echo "I:found czpublished $czpublished (dnskey)"; ret=1; fi
250 echo $ret > /dev/null
251 sync
252 sub=0
253 grep -w "$czinactive" dnskey.sigs > /dev/null && sub=1
254 if [ $sub != 0 ]; then echo "I:found czinactive $czinactive (dnskey)"; ret=1; fi
255 echo $ret > /dev/null
256 sync
257 sub=0
258 grep -w "$czgenerated" dnskey.sigs > /dev/null && sub=1
259 if [ $sub != 0 ]; then echo "I:found czgenerated $czgenerated (dnskey)"; ret=1; fi
260 # now check other signatures first
261 awk '$2 == "RRSIG" && $3 != "DNSKEY" { getline; print $3 }' $cfile.signed | sort -un > other.sigs
262 # should not be there:
263 echo $ret > /dev/null
264 sync
265 sub=0
266 grep -w "$ckactive" other.sigs > /dev/null && sub=1
267 if [ $sub != 0 ]; then echo "I:found ckactive $ckactive (other)"; ret=1; fi
268 echo $ret > /dev/null
269 sync
270 sub=0
271 grep -w "$ckpublished" other.sigs > /dev/null && sub=1
272 if [ $sub != 0 ]; then echo "I:found ckpublished $ckpublished (other)"; ret=1; fi
273 echo $ret > /dev/null
274 sync
275 sub=0
276 grep -w "$ckprerevoke" other.sigs > /dev/null && sub=1
277 if [ $sub != 0 ]; then echo "I:found ckprerevoke $ckprerevoke (other)"; ret=1; fi
278 echo $ret > /dev/null
279 sync
280 sub=0
281 grep -w "$ckrevoked" other.sigs > /dev/null && sub=1
282 if [ $sub != 0 ]; then echo "I:found ckrevoked $ckrevoked (other)"; ret=1; fi
283 echo $ret > /dev/null
284 sync
285 sub=0
286 grep -w "$czpublished" other.sigs > /dev/null && sub=1
287 if [ $sub != 0 ]; then echo "I:found czpublished $czpublished (other)"; ret=1; fi
288 echo $ret > /dev/null
289 sync
290 sub=0
291 grep -w "$czinactive" other.sigs > /dev/null && sub=1
292 if [ $sub != 0 ]; then echo "I:found czinactive $czinactive (other)"; ret=1; fi
293 echo $ret > /dev/null
294 sync
295 sub=0
296 grep -w "$czgenerated" other.sigs > /dev/null && sub=1
297 if [ $sub != 0 ]; then echo "I:found czgenerated $czgenerated (other)"; ret=1; fi
298 echo $ret > /dev/null
299 sync
300 sub=0
301 grep -w "$czpredecessor" other.sigs > /dev/null && sub=1
302 if [ $sub != 0 ]; then echo "I:found czpredecessor $czpredecessor (other)"; ret=1; fi
303 echo $ret > /dev/null
304 sync
305 sub=0
306 grep -w "$czsuccessor" other.sigs > /dev/null && sub=1
307 if [ $sub != 0 ]; then echo "I:found czsuccessor $czsuccessor (other)"; ret=1; fi
308 if [ $ret != 0 ]; then
309 sed 's/^/I:dnskey sigs: /' < dnskey.sigs
310 sed 's/^/I:other sigs: /' < other.sigs
311 echo "I:failed";
312 fi
313 status=`expr $status + $ret`
314
315 echo "I:checking RRSIG expiry date correctness"
316 dnskey_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
317 awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' |
318 cut -c1-10`
319 soa_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
320 awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' |
321 cut -c1-10`
322 [ $dnskey_expiry -gt $soa_expiry ] || ret=1
323 if [ $ret != 0 ]; then echo "I:failed"; fi
324 status=`expr $status + $ret`
325
326 echo "I:waiting 30 seconds for key activation"
327 sleep 30
328 echo "I:re-signing child zone"
329 czoneout2=`$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed 2>&1`
330 mv $cfile.new $cfile.signed
331
332 echo "I:checking dnssec-signzone output matches expectations"
333 ret=0
334 echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
335 if [ $ret != 0 ]; then echo "I:failed"; fi
336 status=`expr $status + $ret`
337
338 echo "I:checking child zone signatures again"
339 ret=0
340 awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
341 grep -w "$ckpublished" dnskey.sigs > /dev/null || ret=1
342 if [ $ret != 0 ]; then echo "I:failed"; fi
343 status=`expr $status + $ret`
344
345 echo "I:exit status: $status"
346 exit $status
MINIX 3 (repo.or.cz mirror)