test: certbot-ci crash due to no p521 on boulder (#8602)

* test: certbot-ci crash due to no p521 on boulder

The bugfix in #8598 added an integration test to request a certificate
for an EC P-521 key, which is unsupported when ACME_SERVER=boulder,
failing our nightly integration tests.

* add an integration test for all EC curves

certbot-ci/certbot_integration_tests/certbot_tests/test_main.py

@@ -476,6 +476,28 @@ def test_default_curve_type(context):
     assert_elliptic_key(key1, SECP256R1)
 
 
+@pytest.mark.parametrize('curve,curve_cls,skip_servers', [
+    # Curve name, Curve class, ACME servers to skip
+    ('secp256r1', SECP256R1, []),
+    ('secp384r1', SECP384R1, []),
+    ('secp521r1', SECP521R1, ['boulder-v1', 'boulder-v2'])]
+)
+def test_ecdsa_curves(context, curve, curve_cls, skip_servers):
+    """Test issuance for each supported ECDSA curve"""
+    if context.acme_server in skip_servers:
+        pytest.skip('ACME server {} does not support ECDSA curve {}'
+                    .format(context.acme_server, curve))
+
+    domain = context.get_domain('curve')
+    context.certbot([
+        'certonly',
+        '--key-type', 'ecdsa', '--elliptic-curve', curve,
+        '--force-renewal', '-d', domain,
+    ])
+    key = join(context.config_dir, "live", domain, 'privkey.pem')
+    assert_elliptic_key(key, curve_cls)
+
+
 def test_renew_with_ec_keys(context):
     """Test proper renew with updated private key complexity."""
     certname = context.get_domain('renew')
@@ -498,13 +520,6 @@ def test_renew_with_ec_keys(context):
     assert_elliptic_key(key2, SECP384R1)
     assert 280 < os.stat(key2).st_size < 320  # ec keys of 384 bits are ~310 bytes
 
-    context.certbot(['renew', '--elliptic-curve', 'secp521r1'])
-
-    assert_cert_count_for_lineage(context.config_dir, certname, 3)
-    key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem')
-    assert_elliptic_key(key3, SECP521R1)
-    assert 340 < os.stat(key3).st_size < 390  # ec keys of 521 bits are ~365 bytes
-
     # We expect here that the command will fail because without --key-type specified,
     # Certbot must error out to prevent changing an existing certificate key type,
     # without explicit user consent (by specifying both --cert-name and --key-type).
@@ -518,9 +533,9 @@ def test_renew_with_ec_keys(context):
     # We expect that the previous behavior of requiring both --cert-name and
     # --key-type to be set to not apply to the renew subcommand.
     context.certbot(['renew', '--force-renewal', '--key-type', 'rsa'])
-    assert_cert_count_for_lineage(context.config_dir, certname, 4)
-    key4 = join(context.config_dir, 'archive', certname, 'privkey4.pem')
-    assert_rsa_key(key4)
+    assert_cert_count_for_lineage(context.config_dir, certname, 3)
+    key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem')
+    assert_rsa_key(key3)
 
 
 def test_ocsp_must_staple(context):

certbot/tests/crypto_util_test.py

@@ -184,11 +184,13 @@ class MakeKeyTest(unittest.TestCase):
     def test_ec(self):  # pylint: disable=no-self-use
         # ECDSA Key Type Tests
         from certbot.crypto_util import make_key
-        # Do not test larger keys as it takes too long.
 
-        # Try a good key size for ECDSA
-        OpenSSL.crypto.load_privatekey(
-            OpenSSL.crypto.FILETYPE_PEM, make_key(elliptic_curve="secp256r1", key_type='ecdsa'))
+        for (name, bits) in [('secp256r1', 256), ('secp384r1', 384), ('secp521r1', 521)]:
+            pkey = OpenSSL.crypto.load_privatekey(
+                OpenSSL.crypto.FILETYPE_PEM,
+                make_key(elliptic_curve=name, key_type='ecdsa')
+            )
+            self.assertEqual(pkey.bits(), bits)
 
     def test_bad_key_sizes(self):
         from certbot.crypto_util import make_key