Match algorithms when checking signatures

In the ksr system test, the test_ksr_twotone case may fail if there are two keys with the same keytag (but different algorithms), because one key is expected to be signing and the other is not. Switch to regular expression matching and include the algorithm in the search string.
2026-05-28 04:34:54 -04:00 · 2024-10-31 11:25:23 +01:00 · 2024-10-31 11:25:23 +01:00 · 795fcc9f80
commit 795fcc9f80
parent 84d91b6b3a
1 changed files with 11 additions and 7 deletions
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@ -345,37 +345,41 @@ def _check_signatures(signatures, covers, fqdn, keys):
        active = now >= activate
        retired = inactive is not None and inactive <= now
        signing = active and not retired
+        alg = key.get_metadata("Algorithm")
+        rtype = dns.rdatatype.to_text(covers)
+
+        expect = rf"IN RRSIG {rtype} {alg} (\d) (\d+) (\d+) (\d+) {key.tag} {fqdn}"

        if not signing:
            for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None
            continue

        if zrrsig and key.is_zsk():
            has_rrsig = False
            for rrsig in signatures:
-                if f" {key.tag} {fqdn}" in rrsig:
+                if re.search(expect, rrsig) is not None:
                    has_rrsig = True
                    break
-            assert has_rrsig
+            assert has_rrsig, f"Expected signature but not found: {expect}"
            numsigs += 1

        if zrrsig and not key.is_zsk():
            for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None

        if krrsig and key.is_ksk():
            has_rrsig = False
            for rrsig in signatures:
-                if f" {key.tag} {fqdn}" in rrsig:
+                if re.search(expect, rrsig) is not None:
                    has_rrsig = True
                    break
-            assert has_rrsig
+            assert has_rrsig, f"Expected signature but not found: {expect}"
            numsigs += 1

        if krrsig and not key.is_ksk():
            for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None

    return numsigs