diff options
author | alexzorin <alex@zorin.id.au> | 2022-03-31 21:40:21 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-31 21:40:21 +0300 |
commit | 284023a1b7672be2bd4018dd7623b3b92197d4b0 (patch) | |
tree | b1bcb0317c826a20179c6e43bd7bd9fc15b11c77 /certbot-ci | |
parent | 4456a6ba0be572a39cb620f9d4f896a240eec01e (diff) |
Add --new-key (#9252)
* add --new-key
* add tests
Diffstat (limited to 'certbot-ci')
-rw-r--r-- | certbot-ci/certbot_integration_tests/certbot_tests/assertions.py | 5 | ||||
-rw-r--r-- | certbot-ci/certbot_integration_tests/certbot_tests/test_main.py | 37 |
2 files changed, 41 insertions, 1 deletions
diff --git a/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py b/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py index 272084217..3650f64f0 100644 --- a/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py +++ b/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py @@ -37,16 +37,19 @@ def assert_elliptic_key(key: str, curve: Type[EllipticCurve]) -> None: assert isinstance(key.curve, curve) -def assert_rsa_key(key: str) -> None: +def assert_rsa_key(key: str, key_size: Optional[int] = None) -> None: """ Asserts that the key at the given path is an RSA key. :param str key: path to key + :param int key_size: if provided, assert that the RSA key is of this size """ with open(key, 'rb') as file: privkey1 = file.read() key = load_pem_private_key(data=privkey1, password=None, backend=default_backend()) assert isinstance(key, RSAPrivateKey) + if key_size: + assert key_size == key.key_size def assert_hook_execution(probe_path: str, probe_content: str) -> None: diff --git a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py index 4a3395217..2827ae939 100644 --- a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py +++ b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py @@ -8,6 +8,7 @@ import subprocess import time from typing import Iterable from typing import Generator +from typing import Tuple from typing import Type from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve @@ -463,6 +464,42 @@ def test_reuse_key(context: IntegrationTestsContext) -> None: assert len({cert1, cert2, cert3}) == 3 +def test_new_key(context: IntegrationTestsContext) -> None: + """Tests --new-key and its interactions with --reuse-key""" + def private_key(generation: int) -> Tuple[str, str]: + pk_path = join(context.config_dir, f'archive/{certname}/privkey{generation}.pem') + with open(pk_path, 'r') as file: + return file.read(), pk_path + + certname = context.get_domain('newkey') + + context.certbot(['--domains', certname, '--reuse-key', + '--key-type', 'rsa', '--rsa-key-size', '4096']) + privkey1, _ = private_key(1) + + # renew: --new-key should replace the key, but keep reuse_key and the key type + params + context.certbot(['renew', '--cert-name', certname, '--new-key']) + privkey2, privkey2_path = private_key(2) + assert privkey1 != privkey2 + assert_saved_lineage_option(context.config_dir, certname, 'reuse_key', 'True') + assert_rsa_key(privkey2_path, 4096) + + # certonly: it should replace the key but the key size will change + context.certbot(['certonly', '-d', certname, '--reuse-key', '--new-key']) + privkey3, privkey3_path = private_key(3) + assert privkey2 != privkey3 + assert_saved_lineage_option(context.config_dir, certname, 'reuse_key', 'True') + assert_rsa_key(privkey3_path, 2048) + + # certonly: it should be possible to change the key type and keep reuse_key + context.certbot(['certonly', '-d', certname, '--reuse-key', '--new-key', '--key-type', 'ecdsa', + '--cert-name', certname]) + privkey4, privkey4_path = private_key(4) + assert privkey3 != privkey4 + assert_saved_lineage_option(context.config_dir, certname, 'reuse_key', 'True') + assert_elliptic_key(privkey4_path, SECP256R1) + + def test_incorrect_key_type(context: IntegrationTestsContext) -> None: with pytest.raises(subprocess.CalledProcessError): context.certbot(['--key-type="failwhale"']) |