From d48f9f84e3d344fef27d99a3c8f3171cfaeed5df Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 10 Aug 2022 17:20:30 +1000
Subject: [PATCH] Fix mkeys to work with DEFAULT_ALGORITHM properly

Stop using a RSASHA1 fixed key in ns3's named.conf as the
trusted key and instead compute a broken digest from the
real digest to use in trusted-keys.

(cherry picked from commit be4cbe2b80b52a1f07c438e5ef4f060909ce5251)
---
 bin/tests/system/mkeys/clean.sh          |  1 +
 bin/tests/system/mkeys/ns1/sign.sh       | 33 ++++++++++++++++++++++++
 bin/tests/system/mkeys/ns3/named.conf.in |  5 +---
 3 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh
index 677e09715a..102cb3710f 100644
--- a/bin/tests/system/mkeys/clean.sh
+++ b/bin/tests/system/mkeys/clean.sh
@@ -15,6 +15,7 @@ rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
 rm -f */managed*.conf ns1/managed.key ns1/managed.key.id
 rm -f */managed-keys.bind* */named.secroots
 rm -f */named.conf
+rm -f ns3/broken.conf
 rm -f */named.memstats */named.run */named.run.prev
 rm -f dig.out* delv.out* rndc.out* signer.out*
 rm -f dsset-. ns1/dsset-.
diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh
index 87a6ea0a27..3fb598ce72 100644
--- a/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@@ -27,6 +27,39 @@ cp managed.conf ../ns2/managed.conf
 cp managed.conf ../ns4/managed.conf
 cp managed.conf ../ns5/managed.conf
 
+# Configure broken trust anchor for ns3
+# Rotate each nibble in the digest by -1
+$DSFROMKEY $keyname.key |
+awk '!/^; /{
+            printf "trust-anchors {\n"
+            printf "\t\""$1"\" initial-ds "
+            printf $4 " " $5 " " $6 " \""
+            for (i=7; i<=NF; i++) {
+		# rotate digest
+		digest=$i
+		gsub("0", ":", digest)
+		gsub("1", "0", digest)
+		gsub("2", "1", digest)
+		gsub("3", "2", digest)
+		gsub("4", "3", digest)
+		gsub("5", "4", digest)
+		gsub("6", "5", digest)
+		gsub("7", "6", digest)
+		gsub("8", "7", digest)
+		gsub("9", "8", digest)
+		gsub("A", "9", digest)
+		gsub("B", "A", digest)
+		gsub("C", "B", digest)
+		gsub("D", "C", digest)
+		gsub("E", "D", digest)
+		gsub("F", "E", digest)
+		gsub(":", "F", digest)
+		printf digest
+	    }
+	    printf "\";\n"
+	    printf "};\n"
+	}' > ../ns3/broken.conf
+
 # Configure a static key to be used by delv.
 keyfile_to_static_ds $keyname > trusted.conf
 
diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in
index 0c5004f980..374b184448 100644
--- a/bin/tests/system/mkeys/ns3/named.conf.in
+++ b/bin/tests/system/mkeys/ns3/named.conf.in
@@ -42,7 +42,4 @@ zone "." {
 	file "../../common/root.hint";
 };
 
-# purposely broken key for testing
-trust-anchors {
-    "." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
-};
+include "broken.conf";