Fix mkeys to work with DEFAULT_ALGORITHM properly

Stop using a RSASHA1 fixed key in ns3's named.conf as the trusted key and instead compute a broken digest from the real digest to use in trusted-keys. (cherry picked from commit be4cbe2b80b52a1f07c438e5ef4f060909ce5251)
2026-06-11 05:59:59 -04:00 · 2022-08-10 17:20:30 +10:00 · 2022-08-10 17:20:30 +10:00 · d48f9f84e3
commit d48f9f84e3
parent 7e1b02fc4e
3 changed files with 35 additions and 4 deletions
--- a/bin/tests/system/mkeys/clean.sh
+++ b/bin/tests/system/mkeys/clean.sh
@ -15,6 +15,7 @@ rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
 rm -f */managed*.conf ns1/managed.key ns1/managed.key.id
 rm -f */managed-keys.bind* */named.secroots
 rm -f */named.conf
+rm -f ns3/broken.conf
 rm -f */named.memstats */named.run */named.run.prev
 rm -f dig.out* delv.out* rndc.out* signer.out*
 rm -f dsset-. ns1/dsset-.
--- a/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@ -27,6 +27,39 @@ cp managed.conf ../ns2/managed.conf
 cp managed.conf ../ns4/managed.conf
 cp managed.conf ../ns5/managed.conf

+# Configure broken trust anchor for ns3
+# Rotate each nibble in the digest by -1
+$DSFROMKEY $keyname.key |
+awk '!/^; /{
+            printf "trust-anchors {\n"
+            printf "\t\""$1"\" initial-ds "
+            printf $4 " " $5 " " $6 " \""
+            for (i=7; i<=NF; i++) {
+		# rotate digest
+		digest=$i
+		gsub("0", ":", digest)
+		gsub("1", "0", digest)
+		gsub("2", "1", digest)
+		gsub("3", "2", digest)
+		gsub("4", "3", digest)
+		gsub("5", "4", digest)
+		gsub("6", "5", digest)
+		gsub("7", "6", digest)
+		gsub("8", "7", digest)
+		gsub("9", "8", digest)
+		gsub("A", "9", digest)
+		gsub("B", "A", digest)
+		gsub("C", "B", digest)
+		gsub("D", "C", digest)
+		gsub("E", "D", digest)
+		gsub("F", "E", digest)
+		gsub(":", "F", digest)
+		printf digest
+	    }
+	    printf "\";\n"
+	    printf "};\n"
+	}' > ../ns3/broken.conf
+
 # Configure a static key to be used by delv.
 keyfile_to_static_ds $keyname > trusted.conf

--- a/bin/tests/system/mkeys/ns3/named.conf.in
+++ b/bin/tests/system/mkeys/ns3/named.conf.in
@ -42,7 +42,4 @@ zone "." {
 	file "../../common/root.hint";
 };

-# purposely broken key for testing
-trust-anchors {
-    "." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
-};
+include "broken.conf";