From 962136952406bfd478b3de71d070999101b054e9 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 31 Oct 2024 11:25:23 +0100
Subject: [PATCH] Match algorithms when checking signatures

In the ksr system test, the test_ksr_twotone case may fail if there
are two keys with the same keytag (but different algorithms), because
one key is expected to be signing and the other is not.

Switch to regular expression matching and include the algorithm in the
search string.

(cherry picked from commit 795fcc9f803068de8c5dbdbcbba69bbd0545b8be)
---
 bin/tests/system/isctest/kasp.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py
index 223dc33be1..7dd2c1d502 100644
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -345,37 +345,41 @@ def _check_signatures(signatures, covers, fqdn, keys):
         active = now >= activate
         retired = inactive is not None and inactive <= now
         signing = active and not retired
+        alg = key.get_metadata("Algorithm")
+        rtype = dns.rdatatype.to_text(covers)
+
+        expect = rf"IN RRSIG {rtype} {alg} (\d) (\d+) (\d+) (\d+) {key.tag} {fqdn}"
 
         if not signing:
             for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None
             continue
 
         if zrrsig and key.is_zsk():
             has_rrsig = False
             for rrsig in signatures:
-                if f" {key.tag} {fqdn}" in rrsig:
+                if re.search(expect, rrsig) is not None:
                     has_rrsig = True
                     break
-            assert has_rrsig
+            assert has_rrsig, f"Expected signature but not found: {expect}"
             numsigs += 1
 
         if zrrsig and not key.is_zsk():
             for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None
 
         if krrsig and key.is_ksk():
             has_rrsig = False
             for rrsig in signatures:
-                if f" {key.tag} {fqdn}" in rrsig:
+                if re.search(expect, rrsig) is not None:
                     has_rrsig = True
                     break
-            assert has_rrsig
+            assert has_rrsig, f"Expected signature but not found: {expect}"
             numsigs += 1
 
         if krrsig and not key.is_ksk():
             for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None
 
     return numsigs