test/modules/md/test_810_ec.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

# tests with elliptic curve keys and certificates
import logging

import pytest

from .md_conf import MDConf
from .md_env import MDTestEnv


@pytest.mark.skipif(condition=not MDTestEnv.has_acme_server(),
                    reason="no ACME test server configured")
class TestAutov2:

    @pytest.fixture(autouse=True, scope='class')
    def _class_scope(self, env, acme):
        env.APACHE_CONF_SRC = "data/test_auto"
        acme.start(config='default')
        env.check_acme()
        env.clear_store()
        MDConf(env).install()
        assert env.apache_restart() == 0

    @pytest.fixture(autouse=True, scope='function')
    def _method_scope(self, env, request):
        env.clear_store()
        self.test_domain = env.get_request_domain(request)

    def set_get_pkeys(self, env, domain, pkeys, conf=None):
        domains = [domain]
        if conf is None:
            conf = MDConf(env)
            conf.add("MDPrivateKeys {0}".format(" ".join([p['spec'] for p in pkeys])))
            conf.add_md(domains)
            conf.add_vhost(domains)
        conf.install()
        assert env.apache_restart() == 0
        assert env.await_completion([domain])

    def check_pkeys(self, env, domain, pkeys):
        # check that files for all types have been created
        for p in [p for p in pkeys if len(p['spec'])]:
            env.check_md_complete(domain, p['spec'])
        # check that openssl client sees the cert with given keylength for cipher
        env.verify_cert_key_lenghts(domain, pkeys)
    
    def set_get_check_pkeys(self, env, domain, pkeys, conf=None):
        self.set_get_pkeys(env, domain, pkeys, conf=conf)
        self.check_pkeys(env, domain, pkeys)
        
    # one EC key, no RSA
    def test_md_810_001(self, env):
        domain = self.test_domain
        self.set_get_check_pkeys(env, domain, [
            {'spec': "secp256r1", 'ciphers': "ECDSA", 'keylen': 256},
            {'spec': "", 'ciphers': "RSA", 'keylen': 0},
        ])

    # set EC key type override on MD and get certificate
    def test_md_810_002(self, env):
        domain = self.test_domain
        # generate config with one MD
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDPrivateKeys secp256r1")
        conf.start_md(domains)
        conf.add("    MDPrivateKeys secp384r1")
        conf.end_md()
        conf.add_vhost(domains)
        self.set_get_check_pkeys(env, domain, [
            {'spec': "secp384r1", 'ciphers': "ECDSA", 'keylen': 384},
            {'spec': "", 'ciphers': "RSA", 'keylen': 0},
        ])

    # set two key spec, ec before rsa
    def test_md_810_003a(self, env):
        domain = self.test_domain
        self.set_get_check_pkeys(env, domain, [
            {'spec': "P-256", 'ciphers': "ECDSA", 'keylen': 256},
            {'spec': "RSA 3072", 'ciphers': "ECDHE-RSA-CHACHA20-POLY1305", 'keylen': 3072},
        ])

    # set two key spec, rsa before ec
    def test_md_810_003b(self, env):
        domain = self.test_domain
        self.set_get_check_pkeys(env, domain, [
            {'spec': "RSA 3072", 'ciphers': "ECDHE-RSA-CHACHA20-POLY1305", 'keylen': 3072},
            {'spec': "secp384r1", 'ciphers': "ECDSA", 'keylen': 384},
        ])

    # use a curve unsupported by LE
    # only works with mod_ssl as rustls refuses to load such a weak key
    @pytest.mark.skipif(MDTestEnv.get_ssl_module() != "mod_ssl", reason="only for mod_ssl")
    @pytest.mark.skipif(MDTestEnv.get_acme_server() != 'boulder', reason="only boulder rejects this")
    def test_md_810_004(self, env):
        domain = self.test_domain
        # generate config with one MD
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDPrivateKeys secp192r1")
        conf.add_md(domains)
        conf.add_vhost(domains)
        conf.install()
        assert env.apache_restart() == 0
        md = env.await_error(domain)
        assert md
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:malformed'

    # set three key specs
    def test_md_810_005(self, env):
        domain = self.test_domain
        # behaviour differences, mod_ssl selects the strongest suitable,
        # mod_tls selects the first suitable
        ec_key_len = 384 if env.ssl_module == "mod_ssl" else 256
        self.set_get_check_pkeys(env, domain, [
            {'spec': "secp256r1", 'ciphers': "ECDSA", 'keylen': ec_key_len},
            {'spec': "RSA 4096", 'ciphers': "ECDHE-RSA-CHACHA20-POLY1305", 'keylen': 4096},
            {'spec': "P-384", 'ciphers': "ECDSA", 'keylen': ec_key_len},
        ])

    # set three key specs
    def test_md_810_006(self, env):
        domain = self.test_domain
        self.set_get_check_pkeys(env, domain, [
            {'spec': "rsa2048", 'ciphers': "ECDHE-RSA-CHACHA20-POLY1305", 'keylen': 2048},
            {'spec': "secp256r1", 'ciphers': "ECDSA", 'keylen': 256},
        ])

    # start with one pkey and add another one
    def test_md_810_007(self, env):
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDPrivateKeys rsa3072")
        conf.add_md(domains)
        conf.add_vhost(domains)
        conf.install()
        assert env.apache_restart() == 0
        assert env.await_completion(domains)
        conf = MDConf(env)
        conf.add("MDPrivateKeys rsa3072 secp384r1")
        conf.add_md(domains)
        conf.add_vhost(domains)
        conf.install()
        assert env.apache_restart() == 0
        mds = env.get_md_status(domain, via_domain=domain, use_https=True)
        assert 'renew' in mds and mds['renew'] is True, f"{mds}"
        assert env.await_completion(domains)
        self.check_pkeys(env, domain, [
            {'spec': "rsa3072", 'ciphers': "ECDHE-RSA-CHACHA20-POLY1305", 'keylen': 3072},
            {'spec': "secp384r1", 'ciphers': "ECDSA", 'keylen': 384},
        ])