From d907426f0f5b6100cbe4d03e417f59ce67ff171b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 20 Jul 2016 15:14:20 -0700 Subject: [PATCH] [v9_11] fix keymgr with low prepublication interval 4417. [bug] dnssec-keymgr could fail to create successor keys if the prepublication interval was set to a value smaller than the default. [RT #42820] Patch submitted by Nis Wechselberg (enbewe@enbewe.de). --- CHANGES | 4 ++++ bin/python/isc/dnskey.py.in | 5 ++++- bin/python/isc/keyseries.py.in | 2 +- bin/tests/system/keymgr/18-nonstd-prepub/README | 9 +++++++++ bin/tests/system/keymgr/18-nonstd-prepub/expect | 9 +++++++++ .../system/keymgr/18-nonstd-prepub/policy.conf | 15 +++++++++++++++ bin/tests/system/keymgr/setup.sh | 9 +++++++++ bin/tests/system/keymgr/tests.sh | 5 ++++- 8 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 bin/tests/system/keymgr/18-nonstd-prepub/README create mode 100644 bin/tests/system/keymgr/18-nonstd-prepub/expect create mode 100644 bin/tests/system/keymgr/18-nonstd-prepub/policy.conf diff --git a/CHANGES b/CHANGES index 83850fba42..e0de9ffc09 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4417. [bug] dnssec-keymgr could fail to create successor keys + if the prepublication interval was set to a value + smaller than the default. [RT #42820] + 4416. [bug] dnssec-keymgr: Domain names in policy files could fail to match due to trailing dots. [RT #42807] diff --git a/bin/python/isc/dnskey.py.in b/bin/python/isc/dnskey.py.in index 502ada8ebe..081ca062be 100644 --- a/bin/python/isc/dnskey.py.in +++ b/bin/python/isc/dnskey.py.in @@ -205,7 +205,7 @@ class dnskey: except Exception as e: raise Exception('unable to parse generated key: %s' % str(e)) - def generate_successor(self, keygen_bin, randomdev, **kwargs): + def generate_successor(self, keygen_bin, randomdev, prepublish, **kwargs): quiet = kwargs.get('quiet', False) if not self.inactive(): @@ -219,6 +219,9 @@ class dnskey: if randomdev: keygen_cmd += ["-r", randomdev] + if prepublish: + keygen_cmd += ["-i", str(prepublish)] + if not quiet: print('# ' + ' '.join(keygen_cmd)) diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in index 7c6191a868..09fc337717 100644 --- a/bin/python/isc/keyseries.py.in +++ b/bin/python/isc/keyseries.py.in @@ -123,7 +123,7 @@ class keyseries: prev.commit(self._context['settime_path'], **kwargs) key = prev.generate_successor(self._context['keygen_path'], self._context['randomdev'], - **kwargs) + prepub, **kwargs) key.setinactive(key.activate() + rp, **kwargs) key.setdelete(key.inactive() + postpub, **kwargs) diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/README b/bin/tests/system/keymgr/18-nonstd-prepub/README new file mode 100644 index 0000000000..4709280e2e --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/README @@ -0,0 +1,9 @@ +Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, You can obtain one at http://mozilla.org/MPL/2.0/. + +This directory has a key set which is valid, but will expire within +the rollover period. The prepublication interval in policy.conf is a +nonstandard value. diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/expect b/bin/tests/system/keymgr/18-nonstd-prepub/expect new file mode 100644 index 0000000000..de792a9d5e --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/expect @@ -0,0 +1,9 @@ +kargs="-c policy.conf example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf new file mode 100644 index 0000000000..cfe3aa92f1 --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf @@ -0,0 +1,15 @@ +/* + * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +policy default { + policy global; + algorithm nsec3rsasha1; + pre-publish zsk 2w; + roll-period zsk 6mo; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh index 5acd5aba02..2b327342f5 100644 --- a/bin/tests/system/keymgr/setup.sh +++ b/bin/tests/system/keymgr/setup.sh @@ -202,3 +202,12 @@ z1=`$KEYGEN -K $dir -q3 example.com` z2=`$KEYGEN -K $dir -q3 example.com` z3=`$KEYGEN -K $dir -q3 example.com` z4=`$KEYGEN -K $dir -q3 example.com` + +# Test 18: Prepublication interval is set to a nonstandard value +dir=18-nonstd-prepub +echo I:set up $dir +rm -f $dir/K*.key +rm -f $dir/K*.private +ksk1=`$KEYGEN -K $dir -3fk example.com` +zsk1=`$KEYGEN -K $dir -3 example.com` +$SETTIME -K $dir -I now+2mo -D now+3mo $z1 > /dev/null diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh index 97137a64ee..dfa1fb310f 100644 --- a/bin/tests/system/keymgr/tests.sh +++ b/bin/tests/system/keymgr/tests.sh @@ -30,8 +30,11 @@ for dir in [0-9][0-9]-*; do kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok= . $dir/expect + # use policy.conf if available + policy="" + [ -e "$dir/policy.conf" ] && policy="-c $dir/policy.conf" # run keymgr to update keys - $KEYMGR -K $dir -g $KEYGEN -r $RANDFILE -s $SETTIME $kargs > keymgr.$n 2>&1 + $KEYMGR $policy -K $dir -g $KEYGEN -r $RANDFILE -s $SETTIME $kargs > keymgr.$n 2>&1 # check that return code matches expectations found=$? if [ $found -ne $kret ]; then