[v9_11] fix keymgr with low prepublication interval

4417.	[bug]		dnssec-keymgr could fail to create successor keys
			if the prepublication interval was set to a value
			smaller than the default. [RT #42820]

Patch submitted by Nis Wechselberg (enbewe@enbewe.de).

CHANGES

@@ -1,3 +1,7 @@
+4417.	[bug]		dnssec-keymgr could fail to create successor keys
+			if the prepublication interval was set to a value
+			smaller than the default. [RT #42820]
+
 4416.	[bug]		dnssec-keymgr: Domain names in policy files could
 			fail to match due to trailing dots. [RT #42807]
 

bin/python/isc/dnskey.py.in

@@ -205,7 +205,7 @@ class dnskey:
         except Exception as e:
             raise Exception('unable to parse generated key: %s' % str(e))
 
-    def generate_successor(self, keygen_bin, randomdev, **kwargs):
+    def generate_successor(self, keygen_bin, randomdev, prepublish, **kwargs):
         quiet = kwargs.get('quiet', False)
 
         if not self.inactive():
@@ -219,6 +219,9 @@ class dnskey:
         if randomdev:
             keygen_cmd += ["-r", randomdev]
 
+        if prepublish:
+            keygen_cmd += ["-i", str(prepublish)]
+
         if not quiet:
             print('# ' + ' '.join(keygen_cmd))
 

bin/python/isc/keyseries.py.in

@@ -123,7 +123,7 @@ class keyseries:
             prev.commit(self._context['settime_path'], **kwargs)
             key = prev.generate_successor(self._context['keygen_path'],
                                           self._context['randomdev'],
-                                          **kwargs)
+                                          prepub, **kwargs)
 
             key.setinactive(key.activate() + rp, **kwargs)
             key.setdelete(key.inactive() + postpub, **kwargs)

bin/tests/system/keymgr/18-nonstd-prepub/README

@@ -0,0 +1,9 @@
+Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+This directory has a key set which is valid, but will expire within
+the rollover period. The prepublication interval in policy.conf is a
+nonstandard value.

bin/tests/system/keymgr/18-nonstd-prepub/expect

@@ -0,0 +1,9 @@
+kargs="-c policy.conf example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2

bin/tests/system/keymgr/18-nonstd-prepub/policy.conf

@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+policy default {
+	policy global;
+	algorithm nsec3rsasha1;
+	pre-publish zsk 2w;
+	roll-period zsk 6mo;
+	coverage 364d;
+};

bin/tests/system/keymgr/setup.sh

@@ -202,3 +202,12 @@ z1=`$KEYGEN -K $dir -q3 example.com`
 z2=`$KEYGEN -K $dir -q3 example.com`
 z3=`$KEYGEN -K $dir -q3 example.com`
 z4=`$KEYGEN -K $dir -q3 example.com`
+
+# Test 18: Prepublication interval is set to a nonstandard value
+dir=18-nonstd-prepub
+echo I:set up $dir
+rm -f $dir/K*.key
+rm -f $dir/K*.private
+ksk1=`$KEYGEN -K $dir -3fk example.com`
+zsk1=`$KEYGEN -K $dir -3 example.com`
+$SETTIME -K $dir -I now+2mo -D now+3mo $z1 > /dev/null

bin/tests/system/keymgr/tests.sh

@@ -30,8 +30,11 @@ for dir in [0-9][0-9]-*; do
         kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok=
         . $dir/expect
 
+        # use policy.conf if available
+        policy=""
+        [ -e "$dir/policy.conf" ] && policy="-c $dir/policy.conf"
         # run keymgr to update keys
-        $KEYMGR -K $dir -g $KEYGEN -r $RANDFILE -s $SETTIME $kargs > keymgr.$n 2>&1
+        $KEYMGR $policy -K $dir -g $KEYGEN -r $RANDFILE -s $SETTIME $kargs > keymgr.$n 2>&1
         # check that return code matches expectations
         found=$?
         if [ $found -ne $kret ]; then