1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12. ../conf.sh
13
14pzone=parent.nil pfile=parent.db
15czone=child.parent.nil cfile=child.db
16status=0
17n=1
18
19echo_i "setting key timers"
20$SETTIME -A now+15s `cat rolling.key` > /dev/null
21
22inact=$(keyfile_to_key_id "$(cat inact.key)")
23ksk=$(keyfile_to_key_id "$(cat ksk.key)")
24pending=$(keyfile_to_key_id "$(cat pending.key)")
25postrev=$(keyfile_to_key_id "$(cat postrev.key)")
26prerev=$(keyfile_to_key_id "$(cat prerev.key)")
27rolling=$(keyfile_to_key_id "$(cat rolling.key)")
28standby=$(keyfile_to_key_id "$(cat standby.key)")
29zsk=$(keyfile_to_key_id "$(cat zsk.key)")
30
31echo_i "signing zones"
32$SIGNER -Sg -o $czone $cfile > /dev/null
33$SIGNER -Sg -o $pzone $pfile > /dev/null
34
35awk '$2 ~ /RRSIG/ {
36        type = $3;
37        getline;
38	id = $3;
39	if ($4 ~ /'${czone}'/) {
40		print type, id
41	}
42}' < ${cfile}.signed > sigs
43
44awk '$2 ~ /DNSKEY/ {
45	flags = $3;
46	while ($0 !~ /key id =/)
47		getline;
48	id = $NF;
49	print flags, id;
50}' < ${cfile}.signed > keys
51
52echo_i "checking that KSK signed DNSKEY only ($n)"
53ret=0
54grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1
55grep "SOA $ksk"'$' sigs > /dev/null && ret=1
56n=`expr $n + 1`
57if [ $ret != 0 ]; then echo_i "failed"; fi
58status=`expr $status + $ret`
59
60echo_i "checking that ZSK signed ($n)"
61ret=0
62grep "SOA $zsk"'$' sigs > /dev/null || ret=1
63n=`expr $n + 1`
64if [ $ret != 0 ]; then echo_i "failed"; fi
65status=`expr $status + $ret`
66
67echo_i "checking that standby ZSK did not sign ($n)"
68ret=0
69grep " $standby"'$' sigs > /dev/null && ret=1
70n=`expr $n + 1`
71if [ $ret != 0 ]; then echo_i "failed"; fi
72status=`expr $status + $ret`
73
74echo_i "checking that inactive key did not sign ($n)"
75ret=0
76grep " $inact"'$' sigs > /dev/null && ret=1
77n=`expr $n + 1`
78if [ $ret != 0 ]; then echo_i "failed"; fi
79status=`expr $status + $ret`
80
81echo_i "checking that pending key was not published ($n)"
82ret=0
83grep " $pending"'$' keys > /dev/null && ret=1
84n=`expr $n + 1`
85if [ $ret != 0 ]; then echo_i "failed"; fi
86status=`expr $status + $ret`
87
88echo_i "checking that standby KSK did not sign but is delegated ($n)"
89ret=0
90grep " $rolling"'$' sigs > /dev/null && ret=1
91grep " $rolling"'$' keys > /dev/null || ret=1
92egrep "DS[ 	]*$rolling[ 	]" ${pfile}.signed > /dev/null || ret=1
93n=`expr $n + 1`
94if [ $ret != 0 ]; then echo_i "failed"; fi
95status=`expr $status + $ret`
96
97echo_i "checking that key was revoked ($n)"
98ret=0
99grep " $prerev"'$' keys > /dev/null && ret=1
100grep " $postrev"'$' keys > /dev/null || ret=1
101n=`expr $n + 1`
102if [ $ret != 0 ]; then echo_i "failed"; fi
103status=`expr $status + $ret`
104
105echo_i "checking that revoked key self-signed ($n)"
106ret=0
107grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1
108grep "SOA $postrev"'$' sigs > /dev/null && ret=1
109n=`expr $n + 1`
110if [ $ret != 0 ]; then echo_i "failed"; fi
111status=`expr $status + $ret`
112
113echo_i "waiting 20 seconds for key changes to occur"
114sleep 20
115
116echo_i "re-signing zone"
117$SIGNER  -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null
118
119echo_i "checking that standby KSK is now active ($n)"
120ret=0
121grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1
122n=`expr $n + 1`
123if [ $ret != 0 ]; then echo_i "failed"; fi
124status=`expr $status + $ret`
125
126echo_i "checking update of an old-style key ($n)"
127ret=0
128# printing metadata should not work with an old-style key
129$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 && ret=1
130$SETTIME -f `cat oldstyle.key` > /dev/null 2>&1 || ret=1
131# but now it should
132$SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 || ret=1
133n=`expr $n + 1`
134if [ $ret != 0 ]; then echo_i "failed"; fi
135status=`expr $status + $ret`
136
137echo_i "checking warning about permissions change on key with dnssec-settime ($n)"
138uname=`uname -o 2> /dev/null`
139if [ Cygwin = "$uname"  ]; then
140	echo_i "Cygwin detected, skipping"
141else
142	ret=0
143	# settime should print a warning about changing the permissions
144	chmod 644 `cat oldstyle.key`.private
145	$SETTIME -P none `cat oldstyle.key` > settime1.test$n 2>&1 || ret=1
146	grep "warning: Permissions on the file.*have changed" settime1.test$n > /dev/null 2>&1 || ret=1
147	$SETTIME -P none `cat oldstyle.key` > settime2.test$n 2>&1 || ret=1
148	grep "warning: Permissions on the file.*have changed" settime2.test$n > /dev/null 2>&1 && ret=1
149	n=`expr $n + 1`
150	if [ $ret != 0 ]; then echo_i "failed"; fi
151	status=`expr $status + $ret`
152fi
153
154echo_i "checking warning about delete date < inactive date with dnssec-settime ($n)"
155ret=0
156# settime should print a warning about delete < inactive
157$SETTIME -I now+15s -D now `cat oldstyle.key` > tmp.out 2>&1 || ret=1
158grep "warning" tmp.out > /dev/null 2>&1 || ret=1
159n=`expr $n + 1`
160if [ $ret != 0 ]; then echo_i "failed"; fi
161status=`expr $status + $ret`
162
163echo_i "checking no warning about delete date < inactive date with dnssec-settime when delete date is unset ($n)"
164ret=0
165$SETTIME -D none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
166$SETTIME -p all `cat oldstyle.key` > tmp.out 2>&1 || ret=1
167grep "warning" tmp.out > /dev/null 2>&1 && ret=1
168n=`expr $n + 1`
169if [ $ret != 0 ]; then echo_i "failed"; fi
170status=`expr $status + $ret`
171
172echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)"
173ret=0
174# keygen should print a warning about delete < inactive
175$KEYGEN -q -a rsasha1 -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
176grep "warning" tmp.out > /dev/null 2>&1 || ret=1
177n=`expr $n + 1`
178if [ $ret != 0 ]; then echo_i "failed"; fi
179status=`expr $status + $ret`
180
181echo_i "checking correct behavior setting activation without publication date ($n)"
182ret=0
183key=`$KEYGEN -q -a rsasha1 -A +1w $czone`
184pub=`$SETTIME -upP $key | awk '{print $2}'`
185act=`$SETTIME -upA $key | awk '{print $2}'`
186[ $pub -eq $act ] || ret=1
187key=`$KEYGEN -q -a rsasha1 -A +1w -i 1d $czone`
188pub=`$SETTIME -upP $key | awk '{print $2}'`
189act=`$SETTIME -upA $key | awk '{print $2}'`
190[ $pub -lt $act ] || ret=1
191key=`$KEYGEN -q -a rsasha1 -A +1w -P never $czone`
192pub=`$SETTIME -upP $key | awk '{print $2}'`
193[ $pub = "UNSET" ] || ret=1
194n=`expr $n + 1`
195if [ $ret != 0 ]; then echo_i "failed"; fi
196status=`expr $status + $ret`
197
198echo_i "checking calculation of dates for a successor key ($n)"
199ret=0
200oldkey=`$KEYGEN -a RSASHA1 -q $czone`
201newkey=`$KEYGEN -a RSASHA1 -q $czone`
202$SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1
203$SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1
204$SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1
205n=`expr $n + 1`
206if [ $ret != 0 ]; then echo_i "failed"; fi
207status=`expr $status + $ret`
208
209echo_i "exit status: $status"
210[ $status -eq 0 ] || exit 1
211