diff --git a/bin/tests/system/ksr/clean.sh b/bin/tests/system/ksr/clean.sh index 9c19a7d88b..65efd52db5 100644 --- a/bin/tests/system/ksr/clean.sh +++ b/bin/tests/system/ksr/clean.sh @@ -13,9 +13,17 @@ set -e +rm -f ./*.ksk* +rm -f ./*.zsk* rm -f ./created.out -rm -f ./python.out +rm -f ./keygen.out.* rm -f ./named.conf +rm -f ./now.out +rm -f ./python.out +rm -f ./settime.out.* rm -f ./K* -rm -f ./ksr.out.* rm -rf ./keydir +rm -f ./ksr.*.err.* +rm -f ./ksr.*.expect +rm -f ./ksr.*.expect.* +rm -f ./ksr.*.out.* diff --git a/bin/tests/system/ksr/setup.sh b/bin/tests/system/ksr/setup.sh index 3e95924fc6..ae272a2049 100644 --- a/bin/tests/system/ksr/setup.sh +++ b/bin/tests/system/ksr/setup.sh @@ -21,3 +21,17 @@ $SHELL clean.sh mkdir keydir copy_setports named.conf.in named.conf + +# Create KSK for the various policies. +create_ksk () { + KSK=$($KEYGEN -l named.conf -fK -k $2 $1 2> keygen.out.$1) + num=0 + for ksk in $KSK + do + num=$(($num+1)) + cat "${ksk}.key" | grep -v ";.*" > "$1.ksk$num" + done +} +create_ksk common.test common +create_ksk unlimited.test unlimited +create_ksk two-tone.test two-tone diff --git a/bin/tests/system/ksr/tests.sh b/bin/tests/system/ksr/tests.sh index 6d3d7c9bdb..d64a84e62f 100644 --- a/bin/tests/system/ksr/tests.sh +++ b/bin/tests/system/ksr/tests.sh @@ -43,7 +43,7 @@ EOF } # Check keys that were created. The keys created are listed in the latest ksr output -# file, ksr.out.$n. +# file, ksr.keygen.out.$n. # $1: zone name # $2: key directory check_keys () ( @@ -55,12 +55,14 @@ check_keys () ( inception=0 pad=$(printf "%03d" "$alg") - for key in $(grep "K${zone}.+$pad+" ksr.out.$n) + num=0 + for key in $(grep "K${zone}.+$pad+" ksr.keygen.out.$n) do grep "; Created:" "${dir}/${key}.key" > created.out || return 1 created=$(awk '{print $3}' < created.out) - # active: created + inception - active=$(addtime $created $inception) + test "$num" -eq 0 && retired=$created + # active: retired previous key + active=$retired # published: 2h5m (dnskey-ttl + publish-safety + propagation) published=$(addtime $active -7500) # retired: zsk-lifetime @@ -81,16 +83,34 @@ check_keys () ( grep "Removed: $removed" $statefile > /dev/null || return 1 inception=$((inception+lifetime)) + num=$((num+1)) + # Save some information for testing cp ${dir}/${key}.key ${key}.key.expect cp ${dir}/${key}.private ${key}.private.expect cp ${dir}/${key}.state ${key}.state.expect + cat ${dir}/${key}.key | grep -v ";.*" > "${zone}.${alg}.zsk${num}" + echo $key > "${zone}.${alg}.zsk${num}.id" done return 0 ) - +# Print the DNSKEY records for zone $1, which have keys listed in file $5 +# that match the keys with numbers $2 and $3, and match algorithm number $4, +# sorted by keytag. +print_dnskeys () { + for key in $(cat $5 | sort) + do + for num in $2 $3 + do + zsk=$(cat $1.$4.zsk$num.id) + if [ "$key" = "$zsk" ]; then + cat $1.$4.zsk$num >> ksr.request.expect.$n + fi + done + done +} # Call the dnssec-ksr command: # ksr [options] ksr () { @@ -101,12 +121,12 @@ ksr () { n=$((n+1)) echo_i "check that 'dnssec-ksr' errors on unknown action ($n)" ret=0 -ksr common foobar common.test > ksr.out.$n 2>&1 && ret=1 -grep "dnssec-ksr: fatal: unknown command 'foobar'" ksr.out.$n > /dev/null || ret=1 +ksr common foobar common.test > ksr.foobar.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: unknown command 'foobar'" ksr.foobar.out.$n > /dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -# Key generation. +# Key generation: common set_zsk () { ALG=$1 SIZE=$2 @@ -114,31 +134,35 @@ set_zsk () { } n=$((n+1)) -echo_i "check that 'dnssec-ksr' errors on missing end date ($n)" +echo_i "check that 'dnssec-ksr keygen' errors on missing end date ($n)" ret=0 -ksr common keygen common.test > ksr.out.$n 2>&1 && ret=1 -grep "dnssec-ksr: fatal: keygen requires an end date" ksr.out.$n > /dev/null|| ret=1 +ksr common keygen common.test > ksr.keygen.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: keygen requires an end date" ksr.keygen.out.$n > /dev/null|| ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) -echo_i "check that 'dnssec-ksr' pregenerates right amount of keys in the common case ($n)" +echo_i "check that 'dnssec-ksr keygen' pregenerates right amount of keys in the common case ($n)" ret=0 -ksr common -i now -e +1y keygen common.test > ksr.out.$n 2>&1 || ret=1 -num=$(cat ksr.out.$n | wc -l) +ksr common -i now -e +1y keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +num=$(cat ksr.keygen.out.$n | wc -l) [ $num -eq 2 ] || ret=1 set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 check_keys common.test "." || ret=1 -cp ksr.out.$n ksr.out.expect +cp ksr.keygen.out.$n ksr.keygen.out.expect test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# save now time +key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) +grep "; Created:" "${key}.key" > now.out || ret=1 +now=$(awk '{print $3}' < now.out) n=$((n+1)) -echo_i "check that 'dnssec-ksr' selects pregenerated keys for the same time bundle ($n)" +echo_i "check that 'dnssec-ksr keygen' selects pregenerated keys for the same time bundle ($n)" ret=0 -ksr common -e +1y keygen common.test > ksr.out.$n 2>&1 || ret=1 -diff ksr.out.expect ksr.out.$n > /dev/null|| ret=1 -for key in $(cat ksr.out.$n) +ksr common -e +1y keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +diff ksr.keygen.out.expect ksr.keygen.out.$n > /dev/null|| ret=1 +for key in $(cat ksr.keygen.out.$n) do # Ensure the files are not modified. diff ${key}.key ${key}.key.expect > /dev/null || ret=1 @@ -148,40 +172,149 @@ done test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Create request: common n=$((n+1)) -echo_i "check that 'dnssec-ksr' selects generates only necessary keys for overlapping time bundle ($n)" +echo_i "check that 'dnssec-ksr request' errors on missing end date ($n)" ret=0 -ksr common -e +2y -v 1 keygen common.test > ksr.out.$n 2>&1 || ret=1 -num=$(cat ksr.out.$n | wc -l) +ksr common request common.test > ksr.request.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: request requires an end date" ksr.request.out.$n > /dev/null|| ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that 'dnssec-ksr request' creates correct KSR in the common case ($n)" +ret=0 +ksr common -i $now -e +1y request common.test > ksr.request.out.$n 2>&1 || ret=1 +# Bundle 1: KSK + ZSK1 +key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) +inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-) +echo ";; KSR common.test - bundle $inception" > ksr.request.expect.$n +cat common.test.ksk1 >> ksr.request.expect.$n +cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +# Bundle 2: KSK + ZSK1 + ZSK2 +key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id) +inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) +echo ";; KSR common.test - bundle $inception" >> ksr.request.expect.$n +cat common.test.ksk1 >> ksr.request.expect.$n +print_dnskeys common.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect +# Bundle 3: KSK + ZSK2 +key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) +inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) +echo ";; KSR common.test - bundle $inception" >> ksr.request.expect.$n +cat common.test.ksk1 >> ksr.request.expect.$n +cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n +diff ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 +cp ksr.request.expect.$n ksr.request.expect +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Key generation: common (2) +n=$((n+1)) +echo_i "check that 'dnssec-ksr keygen' pregenerates keys in the given key-directory ($n)" +ret=0 +ksr common -e +1y -K keydir keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +num=$(cat ksr.keygen.out.$n | wc -l) +[ $num -eq 2 ] || ret=1 +set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 +check_keys common.test keydir || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that 'dnssec-ksr keygen' selects generates only necessary keys for overlapping time bundle ($n)" +ret=0 +ksr common -e +2y -v 1 keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +num=$(cat ksr.keygen.out.$n | wc -l) [ $num -eq 4 ] || ret=1 # 2 selected, 2 generated -num=$(grep "Selecting" ksr.out.$n | wc -l) +num=$(grep "Selecting" ksr.keygen.out.$n | wc -l) [ $num -eq 2 ] || ret=1 -num=$(grep "Generating" ksr.out.$n | wc -l) +num=$(grep "Generating" ksr.keygen.out.$n | wc -l) [ $num -eq 2 ] || ret=1 -set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 -check_keys "." || ret=1 +cp ksr.keygen.out.$n ksr.keygen.out.expect test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) -echo_i "check that 'dnssec-ksr' pregenerates keys in the given key-directory ($n)" +echo_i "run 'dnssec-ksr keygen' again with verbosity 0 ($n)" ret=0 -ksr common -i now -e +1y -K keydir keygen common.test > ksr.out.$n 2>&1 || ret=1 -num=$(cat ksr.out.$n | wc -l) -[ $num -eq 2 ] || ret=1 +ksr common -i $now -e +2y keygen common.test > ksr.keygen.out.$n 2>&1 || ret=1 +num=$(cat ksr.keygen.out.$n | wc -l) +[ $num -eq 4 ] || ret=1 set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400 -check_keys "keydir" || ret=1 +check_keys common.test "." || ret=1 +cp ksr.keygen.out.$n ksr.keygen.out.expect +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Create request: common (2) +n=$((n+1)) +echo_i "check that 'dnssec-ksr request' creates correct KSR if the interval is shorter ($n)" +ret=0 +ksr common -i $now -e +1y request common.test > ksr.request.out.$n 2>&1 || ret=1 +# Same as earlier. +diff ksr.request.out.$n ksr.request.expect > /dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) -echo_i "check that 'dnssec-ksr' creates only one key for zsk with unlimited lifetime ($n)" +echo_i "check that 'dnssec-ksr request' creates correct KSR with new interval ($n)" ret=0 -ksr unlimited -e +2y keygen unlimited.test > ksr.out.$n 2>&1 || ret=1 -num=$(cat ksr.out.$n | wc -l) +ksr common -i $now -e +2y request common.test > ksr.request.out.$n 2>&1 || ret=1 +cp ksr.request.expect ksr.request.expect.$n +# Bundle 4: KSK + ZSK2 + ZSK3 +key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3.id) +inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) +echo ";; KSR common.test - bundle $inception" >> ksr.request.expect.$n +cat common.test.ksk1 >> ksr.request.expect.$n +print_dnskeys common.test 2 3 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect +# Bundle 5: KSK + ZSK3 +key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id) +inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) +echo ";; KSR common.test - bundle $inception" >> ksr.request.expect.$n +cat common.test.ksk1 >> ksr.request.expect.$n +cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3 >> ksr.request.expect.$n +# Bundle 6: KSK + ZSK3 + ZSK4 +key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4.id) +inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) +echo ";; KSR common.test - bundle $inception" >> ksr.request.expect.$n +cat common.test.ksk1 >> ksr.request.expect.$n +print_dnskeys common.test 3 4 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect +# Bundle 7: KSK + ZSK4 +key=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk3.id) +inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) +echo ";; KSR common.test - bundle $inception" >> ksr.request.expect.$n +cat common.test.ksk1 >> ksr.request.expect.$n +cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk4 >> ksr.request.expect.$n +diff ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that 'dnssec-ksr request' errors if there are not enough keys ($n)" +ret=0 +ksr common -i $now -e +3y request common.test > ksr.request.out.$n 2> ksr.request.err.$n && ret=1 +grep "dnssec-ksr: fatal: no common.test/ECDSAP256SHA256 zsk key pair found for bundle" ksr.request.err.$n > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Key generation: csk +n=$((n+1)) +echo_i "check that 'dnssec-ksr keygen' creates no keys for policy with csk ($n)" +ret=0 +ksr csk -e +2y keygen csk.test > ksr.keygen.out.$n 2>&1 && ret=1 +grep "dnssec-ksr: fatal: policy 'csk' has no zsks" ksr.keygen.out.$n > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Key generation: unlimited +n=$((n+1)) +echo_i "check that 'dnssec-ksr keygen' creates only one key for zsk with unlimited lifetime ($n)" +ret=0 +ksr unlimited -e +2y keygen unlimited.test > ksr.keygen.out.$n 2>&1 || ret=1 +num=$(cat ksr.keygen.out.$n | wc -l) [ $num -eq 1 ] || ret=1 -key=$(cat ksr.out.$n) +key=$(cat ksr.keygen.out.$n) grep "; Created:" "${key}.key" > created.out || ret=1 created=$(awk '{print $3}' < created.out) active=$created @@ -196,37 +329,109 @@ grep "Published: $published" ${key}.state > /dev/null || ret=1 grep "Active: $active" ${key}.state > /dev/null || ret=1 grep "Retired:" ${key}.state > /dev/null && ret=1 grep "Removed:" ${key}.state > /dev/null && ret=1 +cat ${key}.key | grep -v ";.*" > unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Create request: unlimited n=$((n+1)) -echo_i "check that 'dnssec-ksr' creates no keys for policy with csk ($n)" +echo_i "check that 'dnssec-ksr request' creates correct KSR with unlimited zsk ($n)" ret=0 -ksr csk -e +2y keygen csk.test > ksr.out.$n 2>&1 && ret=1 -grep "dnssec-ksr: fatal: policy 'csk' has no zsks" ksr.out.$n > /dev/null || ret=1 +ksr unlimited -i $created -e +10y request unlimited.test > ksr.request.out.$n 2>&1 || ret=1 +# Only one bundle: KSK + ZSK +inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-) +echo ";; KSR unlimited.test - bundle $inception" > ksr.request.expect.$n +cat unlimited.test.ksk1 >> ksr.request.expect.$n +cat unlimited.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +diff ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Key generation: two-tone n=$((n+1)) -echo_i "check that 'dnssec-ksr' creates keys for different algorithms ($n)" +echo_i "check that 'dnssec-ksr keygen' creates keys for different algorithms ($n)" ret=0 -ksr two-tone -e +1y keygen two-tone.test > ksr.out.$n 2>&1 || ret=1 +ksr two-tone -e +1y keygen two-tone.test > ksr.keygen.out.$n 2>&1 || ret=1 # First algorithm keys have a lifetime of 3 months, so there should be 4 created keys. alg=$(printf "%03d" "$DEFAULT_ALGORITHM_NUMBER") -num=$(grep "Ktwo-tone.test.+$alg+" ksr.out.$n | wc -l) +num=$(grep "Ktwo-tone.test.+$alg+" ksr.keygen.out.$n | wc -l) [ $num -eq 4 ] || ret=1 set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 8035200 check_keys two-tone.test "." || ret=1 +cp ksr.keygen.out.$n ksr.keygen.out.expect.$DEFAULT_ALGORITHM_NUMBER # Second algorithm keys have a lifetime of 5 months, so there should be 3 created keys. # While only two time bundles of 5 months fit into one year, we need to create an # extra key for the remainder of the bundle. alg=$(printf "%03d" "$ALTERNATIVE_ALGORITHM_NUMBER") -num=$(grep "Ktwo-tone.test.+$alg+" ksr.out.$n | wc -l) +num=$(grep "Ktwo-tone.test.+$alg+" ksr.keygen.out.$n | wc -l) [ $num -eq 3 ] || ret=1 set_zsk $ALTERNATIVE_ALGORITHM_NUMBER $ALTERNATIVE_BITS 13392000 check_keys two-tone.test "." $ALTERNATIVE_ALGORITHM_NUMBER 13392000 || ret=1 +cp ksr.keygen.out.$n ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Create request: two-tone +n=$((n+1)) +echo_i "check that 'dnssec-ksr request' creates correct KSR with multiple algorithms ($n)" +ret=0 +key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) +grep "; Created:" "${key}.key" > created.out || ret=1 +created=$(awk '{print $3}' < created.out) +ksr two-tone -i $created -e +6mo request two-tone.test > ksr.request.out.$n 2>&1 || ret=1 +# The two-tone policy uses two sets of KSK/ZSK with different algorithms. One +# set uses the default algorithm (denoted as A below), the other is using the +# alternative algorithm (denoted as B). The A-ZSKs roll every three months, +# so in the second bundle there should be a new DNSKEY prepublished, and the +# predecessor is removed in the third bundle. Then, after five months the +# ZSK for the B set is rolled, adding the successor in bundle 4 and removing +# its predecessor in bundle 5. +# +# Bundle 1: KSK-A1, KSK-B1, ZSK-A1, ZSK-B1 +key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) +inception=$(cat $key.state | grep "Generated" | cut -d' ' -f 2-) +echo ";; KSR two-tone.test - bundle $inception" > ksr.request.expect.$n +cat two-tone.test.ksk1 >> ksr.request.expect.$n +cat two-tone.test.ksk2 >> ksr.request.expect.$n +cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +# Bundle 2: KSK-A1, KSK-B1, ZSK-A1 + ZSK-A2, ZSK-B1 +key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id) +inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) +echo ";; KSR two-tone.test - bundle $inception" >> ksr.request.expect.$n +cat two-tone.test.ksk1 >> ksr.request.expect.$n +cat two-tone.test.ksk2 >> ksr.request.expect.$n +print_dnskeys two-tone.test 1 2 $DEFAULT_ALGORITHM_NUMBER ksr.keygen.out.expect.$DEFAULT_ALGORITHM_NUMBER >> ksr.request.expect.$n +cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +# Bundle 3: KSK-A1, KSK-B1, ZSK-A2, ZSK-B1 +key=$(cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id) +inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) +echo ";; KSR two-tone.test - bundle $inception" >> ksr.request.expect.$n +cat two-tone.test.ksk1 >> ksr.request.expect.$n +cat two-tone.test.ksk2 >> ksr.request.expect.$n +cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n +cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1 >> ksr.request.expect.$n +# Bundle 4: KSK-A1, KSK-B1, ZSK-A2, ZSK-B1 + ZSK-B2 +key=$(cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2.id) +inception=$(cat $key.state | grep "Published" | cut -d' ' -f 2-) +echo ";; KSR two-tone.test - bundle $inception" >> ksr.request.expect.$n +cat two-tone.test.ksk1 >> ksr.request.expect.$n +cat two-tone.test.ksk2 >> ksr.request.expect.$n +cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n +print_dnskeys two-tone.test 1 2 $ALTERNATIVE_ALGORITHM_NUMBER ksr.keygen.out.expect.$ALTERNATIVE_ALGORITHM_NUMBER >> ksr.request.expect.$n +# Bundle 5: KSK-A1, KSK-B1, ZSK-A2, ZSK-B2 +key=$(cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk1.id) +inception=$(cat $key.state | grep "Removed" | cut -d' ' -f 2-) +echo ";; KSR two-tone.test - bundle $inception" >> ksr.request.expect.$n +cat two-tone.test.ksk1 >> ksr.request.expect.$n +cat two-tone.test.ksk2 >> ksr.request.expect.$n +cat two-tone.test.$DEFAULT_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n +cat two-tone.test.$ALTERNATIVE_ALGORITHM_NUMBER.zsk2 >> ksr.request.expect.$n +# Check the KSR request against the expected request. +diff ksr.request.out.$n ksr.request.expect.$n > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1