upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-08 16:22:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

change default key_type from rsa to ecdsa

Browse source
This commit is contained in:
Alex Zorin 2022-07-18 18:27:19 +10:00
parent 32608a142b
commit 82b6e15be7
3 changed files with 14 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
certbot-ci/certbot_integration_tests/certbot_tests/test_main.py
View file

@ -112,7 +112,7 @@ def test_http_01(context: IntegrationTestsContext) -> None:
assert_hook_execution(context.hook_probe, 'deploy')
assert_saved_renew_hook(context.config_dir, certname)
assert_saved_lineage_option(context.config_dir, certname, 'key_type', 'rsa')
assert_saved_lineage_option(context.config_dir, certname, 'key_type', 'ecdsa')
def test_manual_http_auth(context: IntegrationTestsContext) -> None:
@ -315,23 +315,23 @@ def test_graceful_renew_it_is_time(context: IntegrationTestsContext) -> None:
def test_renew_with_changed_private_key_complexity(context: IntegrationTestsContext) -> None:
"""Test proper renew with updated private key complexity."""
certname = context.get_domain('renew')
context.certbot(['-d', certname, '--rsa-key-size', '4096'])
context.certbot(['-d', certname, '--key-type', 'rsa', '--rsa-key-size', '4096'])
key1 = join(context.config_dir, 'archive', certname, 'privkey1.pem')
assert os.stat(key1).st_size > 3000 # 4096 bits keys takes more than 3000 bytes
assert_rsa_key(key1, 4096)
assert_cert_count_for_lineage(context.config_dir, certname, 1)
context.certbot(['renew'])
assert_cert_count_for_lineage(context.config_dir, certname, 2)
key2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
assert os.stat(key2).st_size > 3000
assert_rsa_key(key2, 4096)
context.certbot(['renew', '--rsa-key-size', '2048'])
assert_cert_count_for_lineage(context.config_dir, certname, 3)
key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem')
assert os.stat(key3).st_size < 1800 # 2048 bits keys takes less than 1800 bytes
assert_rsa_key(key3, 2048)
def test_renew_ignoring_directory_hooks(context: IntegrationTestsContext) -> None:
@ -535,24 +535,24 @@ def test_ecdsa(context: IntegrationTestsContext) -> None:
def test_default_key_type(context: IntegrationTestsContext) -> None:
"""Test default key type is RSA"""
"""Test default key type is ECDSA"""
certname = context.get_domain('renew')
context.certbot([
'certonly',
'--cert-name', certname, '-d', certname
])
filename = join(context.config_dir, 'archive/{0}/privkey1.pem').format(certname)
assert_rsa_key(filename)
assert_elliptic_key(filename, SECP256R1)
def test_default_curve_type(context: IntegrationTestsContext) -> None:
"""test that the curve used when not specifying any is secp256r1"""
def test_default_rsa_size(context: IntegrationTestsContext) -> None:
"""test that the RSA key size used when not specifying any is 2048"""
certname = context.get_domain('renew')
context.certbot([
'--key-type', 'ecdsa', '--cert-name', certname, '-d', certname
'--key-type', 'rsa', '--cert-name', certname, '-d', certname
])
key1 = join(context.config_dir, 'archive/{0}/privkey1.pem'.format(certname))
assert_elliptic_key(key1, SECP256R1)
assert_rsa_key(key1, 2048)
@pytest.mark.parametrize('curve,curve_cls,skip_servers', [

2
certbot/certbot/_internal/constants.py
View file

@ -61,7 +61,7 @@ CLI_DEFAULTS: Dict[str, Any] = dict( # noqa
break_my_certs=False,
rsa_key_size=2048,
elliptic_curve="secp256r1",
key_type="rsa",
key_type="ecdsa",
must_staple=False,
redirect=None,
auto_hsts=False,

4
certbot/tests/renewal_test.py
View file

@ -119,8 +119,8 @@ class RenewalTest(test_util.ConfigTestCase):
with mock.patch('certbot._internal.renewal.hooks.renew_hook'):
renewal.renew_cert(self.config, None, le_client, lineage)
self.assertEqual(self.config.rsa_key_size, 2048)
self.assertEqual(self.config.key_type, 'rsa')
self.assertEqual(self.config.elliptic_curve, 'secp256r1')
self.assertEqual(self.config.key_type, 'ecdsa')
self.assertTrue(self.config.reuse_key)
# None is passed as the existing key, i.e. the key is not actually being reused.
le_client.obtain_certificate.assert_called_with(mock.ANY, None)