def test_new_key(context: IntegrationTestsContext) -> None:
"""Tests --new-key and its interactions with --reuse-key"""
def private_key(generation: int) -> Tuple[str, str]:
pk_path = join(context.config_dir, f'archive/{certname}/privkey{generation}.pem')
with open(pk_path, 'r') as file:
return file.read(), pk_path
certname = context.get_domain('newkey')
context.certbot(['--domains', certname, '--reuse-key',
'--key-type', 'rsa', '--rsa-key-size', '4096'])
privkey1, _ = private_key(1)
# renew: --new-key should replace the key, but keep reuse_key and the key type + params
context.certbot(['renew', '--cert-name', certname, '--new-key'])
privkey2, privkey2_path = private_key(2)
assert privkey1 != privkey2
assert_saved_lineage_option(context.config_dir, certname, 'reuse_key', 'True')
assert_rsa_key(privkey2_path, 4096)
# certonly: it should replace the key but the key size will change
context.certbot(['certonly', '-d', certname, '--reuse-key', '--new-key'])
privkey3, privkey3_path = private_key(3)
assert privkey2 != privkey3
assert_saved_lineage_option(context.config_dir, certname, 'reuse_key', 'True')
assert_rsa_key(privkey3_path, 2048)
# certonly: it should be possible to change the key type and keep reuse_key
context.certbot(['certonly', '-d', certname, '--reuse-key', '--new-key', '--key-type', 'ecdsa',
'--cert-name', certname])
privkey4, privkey4_path = private_key(4)
assert privkey3 != privkey4
assert_saved_lineage_option(context.config_dir, certname, 'reuse_key', 'True')
assert_elliptic_key(privkey4_path, SECP256R1)
def test_default_key_type(context: IntegrationTestsContext) -> None:
"""Test default key type is RSA"""
certname = context.get_domain('renew')
context.certbot(['certonly', '--cert-name', certname, '-d', certname])
filename = join(context.config_dir,
'archive/{0}/privkey1.pem').format(certname)
assert_rsa_key(filename)
def test_renew_with_ec_keys(context: IntegrationTestsContext) -> None:
"""Test proper renew with updated private key complexity."""
certname = context.get_domain('renew')
context.certbot([
'certonly',
'--cert-name', certname,
'--key-type', 'ecdsa', '--elliptic-curve', 'secp256r1',
'--force-renewal', '-d', certname,
])
key1 = join(context.config_dir, "archive", certname, 'privkey1.pem')
assert 200 < os.stat(key1).st_size < 250 # ec keys of 256 bits are ~225 bytes
assert_elliptic_key(key1, SECP256R1)
assert_cert_count_for_lineage(context.config_dir, certname, 1)
assert_saved_lineage_option(context.config_dir, certname, 'key_type', 'ecdsa')
context.certbot(['renew', '--elliptic-curve', 'secp384r1'])
assert_cert_count_for_lineage(context.config_dir, certname, 2)
key2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
assert 280 < os.stat(key2).st_size < 320 # ec keys of 384 bits are ~310 bytes
assert_elliptic_key(key2, SECP384R1)
# When running non-interactively, if --key-type is unspecified but the default value differs
# to the lineage key type, Certbot should keep the lineage key type. The curve will still
# change to the default value, in order to stay consistent with the behavior of certonly.
context.certbot(['certonly', '--force-renewal', '-d', certname])
assert_cert_count_for_lineage(context.config_dir, certname, 3)
key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem')
assert 200 < os.stat(key3).st_size < 250 # ec keys of 256 bits are ~225 bytes
assert_elliptic_key(key3, SECP256R1)
# When running non-interactively, specifying a different --key-type requires user confirmation
# with both --key-type and --cert-name.
with pytest.raises(subprocess.CalledProcessError) as error:
context.certbot(['certonly', '--force-renewal', '-d', certname,
'--key-type', 'rsa'])
assert 'Please provide both --cert-name and --key-type' in error.value.stderr
context.certbot(['certonly', '--force-renewal', '-d', certname,
'--key-type', 'rsa', '--cert-name', certname])
assert_cert_count_for_lineage(context.config_dir, certname, 4)
key4 = join(context.config_dir, 'archive', certname, 'privkey4.pem')
assert_rsa_key(key4)
# We expect that the previous behavior of requiring both --cert-name and
# --key-type to be set to not apply to the renew subcommand.
context.certbot(['renew', '--force-renewal', '--key-type', 'ecdsa'])
assert_cert_count_for_lineage(context.config_dir, certname, 5)
key5 = join(context.config_dir, 'archive', certname, 'privkey5.pem')
assert 200 < os.stat(key5).st_size < 250 # ec keys of 256 bits are ~225 bytes
assert_elliptic_key(key5, SECP256R1)
def test_renew_with_ec_keys(context):
"""Test proper renew with updated private key complexity."""
certname = context.get_domain('renew')
context.certbot([
'certonly',
'--cert-name', certname,
'--key-type', 'ecdsa', '--elliptic-curve', 'secp256r1',
'--force-renewal', '-d', certname,
])
key1 = join(context.config_dir, "archive", certname, 'privkey1.pem')
assert 200 < os.stat(key1).st_size < 250 # ec keys of 256 bits are ~225 bytes
assert_elliptic_key(key1, SECP256R1)
assert_cert_count_for_lineage(context.config_dir, certname, 1)
context.certbot(['renew', '--elliptic-curve', 'secp384r1'])
assert_cert_count_for_lineage(context.config_dir, certname, 2)
key2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
assert_elliptic_key(key2, SECP384R1)
assert 280 < os.stat(key2).st_size < 320 # ec keys of 384 bits are ~310 bytes
context.certbot(['renew', '--elliptic-curve', 'secp521r1'])
assert_cert_count_for_lineage(context.config_dir, certname, 3)
key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem')
assert_elliptic_key(key3, SECP521R1)
assert 340 < os.stat(key3).st_size < 390 # ec keys of 521 bits are ~365 bytes
# We expect here that the command will fail because without --key-type specified,
# Certbot must error out to prevent changing an existing certificate key type,
# without explicit user consent (by specifying both --cert-name and --key-type).
with pytest.raises(subprocess.CalledProcessError):
context.certbot([
'certonly',
'--force-renewal',
'-d', certname
])
# We expect that the previous behavior of requiring both --cert-name and
# --key-type to be set to not apply to the renew subcommand.
context.certbot(['renew', '--force-renewal', '--key-type', 'rsa'])
assert_cert_count_for_lineage(context.config_dir, certname, 4)
key4 = join(context.config_dir, 'archive', certname, 'privkey4.pem')
assert_rsa_key(key4)
