Merge branch 'test_fix_csk_roll' into 'master'

Test fix csk roll See merge request !859

Merge branch 'test_fix_csk_roll' into 'master'
Test fix csk roll See merge request !859
11a2a8bb · Daniel Salzman · 17f731bf · c07dea00 · 11a2a8bb · 11a2a8bb
Commit 11a2a8bb authored Nov 27, 2017 by Daniel Salzman
5 changed files
--- a/src/knot/dnssec/key-events.c
+++ b/src/knot/dnssec/key-events.c
@@ -69,7 +69,7 @@ static unsigned algorithm_present(const kdnssec_ctx_t *ctx, uint8_t alg)
 static bool signing_scheme_present(const kdnssec_ctx_t *ctx)
 {
 	if (ctx->policy->singe_type_signing) {
-		return (!key_present(ctx, true, false) || !key_present(ctx, false, true));
+		return (!key_present(ctx, true, false) || !key_present(ctx, false, true) || key_present(ctx, true, true));
 	} else {
 		return (key_present(ctx, true, false) && key_present(ctx, false, true));
 	}
@@ -173,9 +173,14 @@ static int share_or_generate_key(kdnssec_ctx_t *ctx, bool ksk, bool zsk, knot_ti
 		if (ret == KNOT_EOK) {
 			knot_kasp_key_t *newkey = key_get_by_id(ctx, borrow_key);
 			assert(newkey != NULL);
-			newkey->timing.publish = ctx->now;
-			newkey->timing.ready = when_active;
+			newkey->timing.remove = 0;
+			newkey->timing.retire = 0;
 			newkey->timing.active = (ksk ? 0 : when_active);
+			newkey->timing.ready  = (ksk ? when_active : 0);
+			newkey->timing.publish    = (pre_active ? 0 : ctx->now);
+			newkey->timing.pre_active = (pre_active ? ctx->now : 0);
+			newkey->is_ksk = ksk;
+			newkey->is_zsk = zsk;
 		}
 	}
 	free(borrow_zone);

--- a/src/utils/keymgr/functions.c
+++ b/src/utils/keymgr/functions.c
@@ -73,7 +73,8 @@ static bool is_timestamp(char *arg, knot_kasp_key_timing_t *timing)

 static bool genkeyargs(int argc, char *argv[], bool just_timing,
                       bool *isksk, dnssec_key_algorithm_t *algorithm,
-                       uint16_t *keysize, knot_kasp_key_timing_t *timing)
+                       uint16_t *keysize, knot_kasp_key_timing_t *timing,
+                       const char **addtopolicy)
 {
 	// generate algorithms field
 	char *algnames[256] = { 0 };
@@ -116,6 +117,8 @@ static bool genkeyargs(int argc, char *argv[], bool just_timing,
 			}
 		} else if (!just_timing && strncasecmp(argv[i], "size=", 5) == 0) {
 			*keysize = atol(argv[i] + 5);
+		} else if (!just_timing && strncasecmp(argv[i], "addtopolicy=", 12) == 0) {
+			*addtopolicy = argv[i] + 12;
 		} else if (!is_timestamp(argv[i], timing)) {
 			printf("Invalid parameter: %s\n", argv[i]);
 			return false;
@@ -131,8 +134,9 @@ int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[])
 	knot_kasp_key_timing_t gen_timing = { now, infty, now, infty, now, infty, infty, infty, infty };
 	bool isksk = false;
 	uint16_t keysize = 0;
+	const char *addtopolicy = NULL;
 	if (!genkeyargs(argc, argv, false, &isksk, &ctx->policy->algorithm,
-			&keysize, &gen_timing)) {
+			&keysize, &gen_timing, &addtopolicy)) {
 		return KNOT_EINVAL;
 	}
 	if (keysize > 0) {
@@ -161,6 +165,23 @@ int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[])

 	key->timing = gen_timing;

+	if (addtopolicy != NULL) {
+		char *last_policy_last = NULL;
+		knot_dname_t *unused;
+
+		ret = kasp_db_get_policy_last(*ctx->kasp_db, addtopolicy, &unused,
+		                              &last_policy_last);
+		if (ret != KNOT_EOK && ret != KNOT_ENOENT) {
+			return ret;
+		}
+
+		ret = kasp_db_set_policy_last(*ctx->kasp_db, addtopolicy, last_policy_last,
+		                              ctx->zone->dname, key->id);
+		if (ret != KNOT_EOK) {
+			return ret;
+		}
+	}
+
 	ret = kdnssec_ctx_commit(ctx);

 	if (ret == KNOT_EOK) {
@@ -347,7 +368,7 @@ int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, cha
 	bool isksk = false;
 	uint16_t keysize = 0;
 	if (!genkeyargs(argc, argv, false, &isksk, &ctx->policy->algorithm,
-	                &keysize, &timing)) {
+			&keysize, &timing, NULL)) {
 		return KNOT_EINVAL;
 	}

@@ -590,7 +611,7 @@ int keymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[])
 {
 	knot_kasp_key_timing_t temp = key->timing;

-	if (genkeyargs(argc, argv, true, NULL, NULL, NULL, &temp)) {
+	if (genkeyargs(argc, argv, true, NULL, NULL, NULL, &temp, NULL)) {
 		key->timing = temp;
 		return KNOT_EOK;
 	}

--- a/tests-extra/tests/dnssec/csk_rollovers/test.py
+++ b/tests-extra/tests/dnssec/csk_rollovers/test.py
@@ -15,6 +15,14 @@ from dnstest.utils import *
 from dnstest.keys import Keymgr
 from dnstest.test import Test

+def pregenerate_key(server, zone, alg):
+    class a_class_with_name:
+        def __init__(self, name):
+            self.name = name
+
+    server.gen_key(a_class_with_name("notexisting.zone."), ksk=True, alg=alg,
+                   addtopolicy=zone[0].name)
+
 # check zone if keys are present and used for signing
 def check_zone(server, zone, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg):
    qdnskeys = server.dig("example.com", "DNSKEY", bufsize=4096)
@@ -167,13 +175,14 @@ child.zonefile_sync = 24 * 60 * 60

 child.dnssec(child_zone).enable = True
 child.dnssec(child_zone).manual = False
-child.dnssec(child_zone).alg = "RSASHA512"
+child.dnssec(child_zone).alg = "ECDSAP384SHA384"
 child.dnssec(child_zone).dnskey_ttl = 2
 child.dnssec(child_zone).zsk_lifetime = 99999
 child.dnssec(child_zone).ksk_lifetime = 300 # this can be possibly left also infinity
 child.dnssec(child_zone).propagation_delay = 11
 child.dnssec(child_zone).ksk_sbm_check = [ parent ]
 child.dnssec(child_zone).ksk_sbm_check_interval = 2
+child.dnssec(child_zone).ksk_shared = True

 # parameters
 ZONE = "example.com."
@@ -181,18 +190,25 @@ ZONE = "example.com."
 t.start()
 child.zone_wait(child_zone)

-watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg", "RSASHA256", True, cds_submission)
+pregenerate_key(child, child_zone, "ECDSAP256SHA256")
+watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg", "ECDSAP256SHA256", True, cds_submission)

+pregenerate_key(child, child_zone, "ECDSAP256SHA256")
 watch_ksk_rollover(t, child, child_zone, 1, 1, 2, "CSK rollover", True, 27, cds_submission)

+pregenerate_key(child, child_zone, "ECDSAP256SHA256")
 watch_ksk_rollover(t, child, child_zone, 1, 2, 3, "CSK to KZSK", False, 0, cds_submission)

+pregenerate_key(child, child_zone, "ECDSAP256SHA256")
 watch_ksk_rollover(t, child, child_zone, 2, 2, 3, "KSK rollover", False, 27, cds_submission)

+pregenerate_key(child, child_zone, "ECDSAP256SHA256")
 watch_ksk_rollover(t, child, child_zone, 2, 1, 3, "KZSK to CSK", True, 0, cds_submission)

-watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg", "RSASHA512", True, cds_submission)
+pregenerate_key(child, child_zone, "ECDSAP384SHA384")
+watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg", "ECDSAP384SHA384", True, cds_submission)

-watch_alg_rollover(t, child, child_zone, 1, 2, "CSK to KZSK alg", "RSASHA256", False, cds_submission)
+pregenerate_key(child, child_zone, "ECDSAP256SHA256")
+watch_alg_rollover(t, child, child_zone, 1, 2, "CSK to KZSK alg", "ECDSAP256SHA256", False, cds_submission)

 t.end()
--- a/tests-extra/tools/dnstest/keys.py
+++ b/tests-extra/tools/dnstest/keys.py
@@ -108,12 +108,22 @@ class Keymgr(object):
 class Key(object):
    '''DNSSEC key generator'''

-    def __init__(self, key_dir, zone_name, ksk=False, alg="rsasha256", key_len=512):
+    def __init__(self, key_dir, zone_name, ksk=False, alg="ECDSAP256SHA256",
+                 key_len=-1, addtopolicy=None):
        self.dir = key_dir
        self.zone_name = zone_name
        self.alg = alg
-        self.len = key_len
-        self.ksk = ksk
+        self.len = int(key_len)
+        self.ksk = bool(ksk)
+        self.addtopolicy = addtopolicy
+
+        if self.len < 0:
+            try:
+                self.len = int(alg[-3:])
+            except ValueError:
+                pass
+            if self.len < 100 or self.len % 128 != 0:
+                self.len = 256

    def _keymgr(self, *args):
        return Keymgr.run(self.dir, *args)
@@ -126,10 +136,14 @@ class Key(object):
            "size=" + str(self.len)
        ]

+        if self.addtopolicy is not None:
+            cmd.append("addtopolicy=" + str(self.addtopolicy))
+
        return cmd

    def generate(self):
        command = self._gen_command()
-        (exit_code, _, _) = self._keymgr(*command)
+        (exit_code, stdout, stderr) = self._keymgr(*command)
        if exit_code != 0:
-            raise Failed("Can't generate key for zone '%s'." % self.zone_name)
+            raise Failed("Can't generate key for zone '%s'. Stderr: %s" % (self.zone_name, stderr))
+
--- a/tests-extra/tools/dnstest/server.py
+++ b/tests-extra/tools/dnstest/server.py
@@ -56,6 +56,7 @@ class ZoneDnssec(object):
        self.nsec3_salt_len = None
        self.ksk_sbm_check = []
        self.ksk_sbm_check_interval = None
+        self.ksk_shared = None

 class Zone(object):
    '''DNS zone description'''
@@ -1180,6 +1181,7 @@ class Knot(Server):
            self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
            if len(z.dnssec.ksk_sbm_check) > 0:
                s.item("ksk-submission", z.name)
+            self._bool(s, "ksk-shared", z.dnssec.ksk_shared)
        if have_policy:
            s.end()