From f15f4f9838c46e015fb4a183aeb415c794418ea9 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 11 Nov 2020 15:06:50 -0800 Subject: [PATCH] Add certbot renew --key-type test (#8447) * Test certbot renew --key-type * Fix typo --- .../certbot_tests/assertions.py | 18 ++++++++++++++++++ .../certbot_tests/test_main.py | 17 +++++++++-------- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py b/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py index c19c0762e..c223d524c 100644 --- a/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py +++ b/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py @@ -4,6 +4,7 @@ import os from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey +from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey from cryptography.hazmat.primitives.serialization import load_pem_private_key try: @@ -21,6 +22,11 @@ ADMINS_SID = 'S-1-5-32-544' def assert_elliptic_key(key, curve): + """ + Asserts that the key at the given path is an EC key using the given curve. + :param key: path to key + :param curve: name of the expected elliptic curve + """ with open(key, 'rb') as file: privkey1 = file.read() @@ -30,6 +36,18 @@ def assert_elliptic_key(key, curve): assert isinstance(key.curve, curve) +def assert_rsa_key(key): + """ + Asserts that the key at the given path is an RSA key. + :param key: path to key + """ + with open(key, 'rb') as file: + privkey1 = file.read() + + key = load_pem_private_key(data=privkey1, password=None, backend=default_backend()) + assert isinstance(key, RSAPrivateKey) + + def assert_hook_execution(probe_path, probe_content): """ Assert that a certbot hook has been executed diff --git a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py index 58d5a852d..d77a71064 100644 --- a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py +++ b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py @@ -9,10 +9,7 @@ import shutil import subprocess import time -from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, SECP384R1 -from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey -from cryptography.hazmat.primitives.serialization import load_pem_private_key from cryptography.x509 import NameOID import pytest @@ -20,6 +17,7 @@ import pytest from certbot_integration_tests.certbot_tests import context as certbot_context from certbot_integration_tests.certbot_tests.assertions import assert_cert_count_for_lineage from certbot_integration_tests.certbot_tests.assertions import assert_elliptic_key +from certbot_integration_tests.certbot_tests.assertions import assert_rsa_key from certbot_integration_tests.certbot_tests.assertions import assert_equals_group_owner from certbot_integration_tests.certbot_tests.assertions import assert_equals_group_permissions from certbot_integration_tests.certbot_tests.assertions import assert_equals_world_read_permissions @@ -460,11 +458,7 @@ def test_default_key_type(context): '--cert-name', certname, '-d', certname ]) filename = join(context.config_dir, 'archive/{0}/privkey1.pem').format(certname) - with open(filename, 'rb') as file: - privkey1 = file.read() - - key = load_pem_private_key(data=privkey1, password=None, backend=default_backend()) - assert isinstance(key, RSAPrivateKey) + assert_rsa_key(filename) def test_default_curve_type(context): @@ -509,6 +503,13 @@ def test_renew_with_ec_keys(context): '-d', certname ]) + # We expect that the previous behavior of requiring both --cert-name and + # --key-type to be set to not apply to the renew subcommand. + context.certbot(['renew', '--force-renewal', '--key-type', 'rsa']) + assert_cert_count_for_lineage(context.config_dir, certname, 3) + key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem') + assert_rsa_key(key3) + def test_ocsp_must_staple(context): """Test that OCSP Must-Staple is correctly set in the generated certificate."""