diff options
| author | Mads Jensen <mje@inducks.org> | 2022-02-04 04:34:04 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-04 04:34:04 +0300 |
| commit | fe0c0dc3ae6c25c6087e51717a223f38a9b23d2f (patch) | |
| tree | 21b0a16c784ed1a4503e81a5224634c432455739 /certbot-ci | |
| parent | 5b17a18355222c511b3d5e4442f01520765e8b8f (diff) | |
Add support for revoking ecdsa keys without --cert-name. (#8725)
* Add support for revoking ecdsa keys without --cert-name.
Co-Authored-By: commonism <commonism@users.noreply.github.com>
* Move alg to acme_client.ClientNetwork instantiating in acme_from_config_key
* Fix argument for RS256/ES256
* Support also ES384 and ES512 signing algorithms.
Diffstat (limited to 'certbot-ci')
| -rw-r--r-- | certbot-ci/certbot_integration_tests/certbot_tests/test_main.py | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py index d04fbff6c..146ba58bb 100644 --- a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py +++ b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py @@ -643,6 +643,61 @@ def test_revoke_and_unregister(context: IntegrationTestsContext) -> None: assert cert3 in stdout +@pytest.mark.parametrize('curve,curve_cls,skip_servers', [ + ('secp256r1', SECP256R1, []), + ('secp384r1', SECP384R1, []), + ('secp521r1', SECP521R1, ['boulder-v2'])] +) +def test_revoke_ecdsa_cert_key( + context: IntegrationTestsContext, curve: str, curve_cls: Type[EllipticCurve], + skip_servers: Iterable[str]) -> None: + """Test revoking a certificate """ + if context.acme_server in skip_servers: + pytest.skip(f'ACME server {context.acme_server} does not support ECDSA curve {curve}') + cert: str = context.get_domain('curve') + context.certbot([ + 'certonly', + '--key-type', 'ecdsa', '--elliptic-curve', curve, + '-d', cert, + ]) + key = join(context.config_dir, "live", cert, 'privkey.pem') + cert_path = join(context.config_dir, "live", cert, 'cert.pem') + assert_elliptic_key(key, curve_cls) + context.certbot([ + 'revoke', '--cert-path', cert_path, '--key-path', key, + '--no-delete-after-revoke', + ]) + stdout, _ = context.certbot(['certificates']) + assert stdout.count('INVALID: REVOKED') == 1, 'Expected {0} to be REVOKED'.format(cert) + + +@pytest.mark.parametrize('curve,curve_cls,skip_servers', [ + ('secp256r1', SECP256R1, []), + ('secp384r1', SECP384R1, []), + ('secp521r1', SECP521R1, ['boulder-v2'])] +) +def test_revoke_ecdsa_cert_key_delete( + context: IntegrationTestsContext, curve: str, curve_cls: Type[EllipticCurve], + skip_servers: Iterable[str]) -> None: + """Test revoke and deletion for each supported curve type""" + if context.acme_server in skip_servers: + pytest.skip(f'ACME server {context.acme_server} does not support ECDSA curve {curve}') + cert: str = context.get_domain('curve') + context.certbot([ + 'certonly', + '--key-type', 'ecdsa', '--elliptic-curve', curve, + '-d', cert, + ]) + key = join(context.config_dir, "live", cert, 'privkey.pem') + cert_path = join(context.config_dir, "live", cert, 'cert.pem') + assert_elliptic_key(key, curve_cls) + context.certbot([ + 'revoke', '--cert-path', cert_path, '--key-path', key, + '--delete-after-revoke', + ]) + assert not exists(cert_path) + + def test_revoke_mutual_exclusive_flags(context: IntegrationTestsContext) -> None: """Test --cert-path and --cert-name cannot be used during revoke.""" cert = context.get_domain('le1') |