diff options
author | alexzorin <alex@zorin.id.au> | 2021-01-13 03:08:32 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-13 03:08:32 +0300 |
commit | 13d4a992519c52b0771eb5015ce372b298fabc57 (patch) | |
tree | 1bcd98a7be474c58f7df4cebf42239777018d94c /certbot-ci | |
parent | b9de48e93ef885d2ce5f3a0ee3083777fc32ab1f (diff) |
test: certbot-ci crash due to no p521 on boulder (#8602)
* test: certbot-ci crash due to no p521 on boulder
The bugfix in #8598 added an integration test to request a certificate
for an EC P-521 key, which is unsupported when ACME_SERVER=boulder,
failing our nightly integration tests.
* add an integration test for all EC curves
Diffstat (limited to 'certbot-ci')
-rw-r--r-- | certbot-ci/certbot_integration_tests/certbot_tests/test_main.py | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py index 28a728370..4296de6f8 100644 --- a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py +++ b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py @@ -476,6 +476,28 @@ def test_default_curve_type(context): assert_elliptic_key(key1, SECP256R1) +@pytest.mark.parametrize('curve,curve_cls,skip_servers', [ + # Curve name, Curve class, ACME servers to skip + ('secp256r1', SECP256R1, []), + ('secp384r1', SECP384R1, []), + ('secp521r1', SECP521R1, ['boulder-v1', 'boulder-v2'])] +) +def test_ecdsa_curves(context, curve, curve_cls, skip_servers): + """Test issuance for each supported ECDSA curve""" + if context.acme_server in skip_servers: + pytest.skip('ACME server {} does not support ECDSA curve {}' + .format(context.acme_server, curve)) + + domain = context.get_domain('curve') + context.certbot([ + 'certonly', + '--key-type', 'ecdsa', '--elliptic-curve', curve, + '--force-renewal', '-d', domain, + ]) + key = join(context.config_dir, "live", domain, 'privkey.pem') + assert_elliptic_key(key, curve_cls) + + def test_renew_with_ec_keys(context): """Test proper renew with updated private key complexity.""" certname = context.get_domain('renew') @@ -498,13 +520,6 @@ def test_renew_with_ec_keys(context): assert_elliptic_key(key2, SECP384R1) assert 280 < os.stat(key2).st_size < 320 # ec keys of 384 bits are ~310 bytes - context.certbot(['renew', '--elliptic-curve', 'secp521r1']) - - assert_cert_count_for_lineage(context.config_dir, certname, 3) - key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem') - assert_elliptic_key(key3, SECP521R1) - assert 340 < os.stat(key3).st_size < 390 # ec keys of 521 bits are ~365 bytes - # We expect here that the command will fail because without --key-type specified, # Certbot must error out to prevent changing an existing certificate key type, # without explicit user consent (by specifying both --cert-name and --key-type). @@ -518,9 +533,9 @@ def test_renew_with_ec_keys(context): # We expect that the previous behavior of requiring both --cert-name and # --key-type to be set to not apply to the renew subcommand. context.certbot(['renew', '--force-renewal', '--key-type', 'rsa']) - assert_cert_count_for_lineage(context.config_dir, certname, 4) - key4 = join(context.config_dir, 'archive', certname, 'privkey4.pem') - assert_rsa_key(key4) + assert_cert_count_for_lineage(context.config_dir, certname, 3) + key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem') + assert_rsa_key(key3) def test_ocsp_must_staple(context): |