From 2b34b326fcdb1685246f072b73f7f19416eb3b08 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 28 Apr 2022 12:58:38 +0200
Subject: [PATCH 1/2] Minor fixes in kasp system test

Fix two typos and two grep calls.
---
 bin/tests/system/kasp.sh       | 4 ++--
 bin/tests/system/kasp/tests.sh | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index 9feab32c0c..74a2345e37 100644
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -1021,7 +1021,7 @@ _check_apex_dnskey() {
 		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
 		_checksig=1
 	elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
-		grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
 	fi
 
 	_flags="$(key_get KEY2 FLAGS)"
@@ -1030,7 +1030,7 @@ _check_apex_dnskey() {
 		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
 		_checksig=1
 	elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
-		grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
 	fi
 
 	_flags="$(key_get KEY3 FLAGS)"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 27d4e3f500..bcea02f65d 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -2024,7 +2024,7 @@ dnssec_verify
 # Schedule KSK rollover now.
 set_policy "manual-rollover" "3" "3600"
 set_keystate "KEY1" "GOAL" "hidden"
-# This key was activated one day agao, so lifetime is set to 1d plus
+# This key was activated one day ago, so lifetime is set to 1d plus
 # prepublication duration (7500 seconds) = 93900 seconds.
 set_keylifetime  "KEY1" "93900"
 created=$(key_get KEY1 CREATED)
@@ -2051,7 +2051,7 @@ dnssec_verify
 # Schedule ZSK rollover now.
 set_policy "manual-rollover" "4" "3600"
 set_keystate "KEY2" "GOAL" "hidden"
-# This key was activated one day agao, so lifetime is set to 1d plus
+# This key was activated one day ago, so lifetime is set to 1d plus
 # prepublication duration (7500 seconds) = 93900 seconds.
 set_keylifetime  "KEY2" "93900"
 created=$(key_get KEY2 CREATED)

From 3e1d09ac665e835ab4f46357e91b5cde50a441d7 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 28 Apr 2022 16:45:33 +0200
Subject: [PATCH 2/2] Fix a kasp system test bug

In '_check_apex_dnskey' we check for each key (KEY1 to KEY4) if they
are present in the DNSKEY RRset if they should be.

However, we only grep the dig output for the first seven fields (owner,
ttl, class, type, flags, protocol, algorithm). This can be the same
for different keys.

For example, KEY1 may be KSK predecessor and KEY2 a KSK successor,
both DNSKEY records for these keys are the same up to the public key
field. This can cause test failures if KEY1 needs to be present, but
KEY2 not, because when grepping for KEY2 we will falsely detect the
key to be present (because the grep matches KEY1).

Fix the function by grepping looking for the first seven fields in the
corresponding key file and retrieve the public key part. Grep for this
in the dig output.
---
 bin/tests/system/kasp.sh | 48 +++++++++++++++++++++++++++-------------
 1 file changed, 33 insertions(+), 15 deletions(-)

diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index 74a2345e37..01bcce3fd0 100644
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -1008,6 +1008,15 @@ check_cds() {
 	status=$((status+ret))
 }
 
+_find_dnskey() {
+	_owner="${ZONE}."
+	_alg="$(key_get $1 ALG_NUM)"
+	_flags="$(key_get $1 FLAGS)"
+	_key_file="$(key_get $1 BASEFILE).key"
+
+	awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file"
+}
+
 
 # Test DNSKEY query.
 _check_apex_dnskey() {
@@ -1015,40 +1024,49 @@ _check_apex_dnskey() {
 	grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1
 
 	_checksig=0
-	_flags="$(key_get KEY1 FLAGS)"
 
 	if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then
-		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
+		_pubkey=$(_find_dnskey KEY1)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
 		_checksig=1
 	elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
-		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+		_pubkey=$(_find_dnskey KEY1)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
 	fi
 
-	_flags="$(key_get KEY2 FLAGS)"
-
 	if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then
-		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
+		_pubkey=$(_find_dnskey KEY2)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
 		_checksig=1
 	elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
-		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+		_pubkey=$(_find_dnskey KEY2)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
 	fi
 
-	_flags="$(key_get KEY3 FLAGS)"
-
 	if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then
-		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
+		_pubkey=$(_find_dnskey KEY3)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
 		_checksig=1
 	elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
-		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+		_pubkey=$(_find_dnskey KEY3)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
 	fi
 
-	_flags="$(key_get KEY4 FLAGS)"
-
 	if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then
-		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
+		_pubkey=$(_find_dnskey KEY4)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
 		_checksig=1
 	elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
-		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+		_pubkey=$(_find_dnskey KEY4)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
 	fi
 
 	test "$_checksig" -eq 0 && return 0