From a7243b9f6fd7803d8bf2185719a92911e479f159 2020-07-13 16:19:38 From: Branko Majic Date: 2020-07-13 16:19:38 Subject: [PATCH] GC-37: Include ECDSA when testing that commands use correct key specification: - Updated tests for server, client, and renew commands. - Parametrised the tests so they can cover different sizes of RSA keys, as well as different elliptic curve algorithms. --- diff --git a/tests/test_commands.py b/tests/test_commands.py index 4d37b129523e8ada02abdc6c75f9f21e50c046da..09814f11c36a364b110e62f3541cd6137b7a53dc 100644 --- a/tests/test_commands.py +++ b/tests/test_commands.py @@ -1489,62 +1489,104 @@ def test_renew_client_reads_csr_from_stdin(mock_read_input, sample_project_direc assert certificate.subject != key_with_csr.csr.subject -def test_server_uses_same_private_key_algorithm_and_parameters_as_issuer_when_generating_private_key(tmpdir): +@pytest.mark.parametrize("key_specification", [ + ("rsa", 1024), + ("rsa", 2048), + ("ecdsa", ec.SECP192R1), + ("ecdsa", ec.SECP384R1), +]) +def test_server_uses_same_private_key_algorithm_and_parameters_as_issuer_when_generating_private_key(tmpdir, key_specification): private_key_file = tmpdir.join('.gimmecert', 'server', 'myserver.key.pem') - gimmecert.commands.init(io.StringIO(), io.StringIO(), tmpdir.strpath, tmpdir.basename, 1, ("rsa", 1024)) + gimmecert.commands.init(io.StringIO(), io.StringIO(), tmpdir.strpath, tmpdir.basename, 1, key_specification) gimmecert.commands.server(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myserver', None, None, None) private_key = gimmecert.storage.read_private_key(private_key_file.strpath) + public_key = private_key.public_key() + public_key_specification = gimmecert.crypto.key_specification_from_public_key(public_key) - assert private_key.key_size == 1024 + assert public_key_specification == key_specification -def test_server_uses_passed_in_private_key_algorithm_and_parameters_when_generating_private_key(gctmpdir): +@pytest.mark.parametrize("key_specification", [ + ("rsa", 1024), + ("rsa", 2048), + ("ecdsa", ec.SECP192R1), + ("ecdsa", ec.SECP384R1), +]) +def test_server_uses_passed_in_private_key_algorithm_and_parameters_when_generating_private_key(gctmpdir, key_specification): private_key_file = gctmpdir.join('.gimmecert', 'server', 'myserver.key.pem') - gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, ("rsa", 1024)) + gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, key_specification) private_key = gimmecert.storage.read_private_key(private_key_file.strpath) + public_key = private_key.public_key() + public_key_specification = gimmecert.crypto.key_specification_from_public_key(public_key) - assert private_key.key_size == 1024 + assert public_key_specification == key_specification -def test_client_uses_same_private_key_algorithm_and_parameters_as_issuer_when_generating_private_key(tmpdir): +@pytest.mark.parametrize("key_specification", [ + ("rsa", 1024), + ("rsa", 2048), + ("ecdsa", ec.SECP192R1), + ("ecdsa", ec.SECP384R1), +]) +def test_client_uses_same_private_key_algorithm_and_parameters_as_issuer_when_generating_private_key(tmpdir, key_specification): private_key_file = tmpdir.join('.gimmecert', 'client', 'myclient.key.pem') - gimmecert.commands.init(io.StringIO(), io.StringIO(), tmpdir.strpath, tmpdir.basename, 1, ("rsa", 1024)) + gimmecert.commands.init(io.StringIO(), io.StringIO(), tmpdir.strpath, tmpdir.basename, 1, key_specification) gimmecert.commands.client(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myclient', None, None) private_key = gimmecert.storage.read_private_key(private_key_file.strpath) + public_key = private_key.public_key() + public_key_specification = gimmecert.crypto.key_specification_from_public_key(public_key) - assert private_key.key_size == 1024 + assert public_key_specification == key_specification + assert public_key_specification == key_specification -def test_client_uses_passed_in_private_key_algorithm_and_parameters_when_generating_private_key(gctmpdir): +@pytest.mark.parametrize("key_specification", [ + ("rsa", 1024), + ("rsa", 2048), + ("ecdsa", ec.SECP192R1), + ("ecdsa", ec.SECP384R1), +]) +def test_client_uses_passed_in_private_key_algorithm_and_parameters_when_generating_private_key(gctmpdir, key_specification): private_key_file = gctmpdir.join('.gimmecert', 'client', 'myclient.key.pem') - gimmecert.commands.client(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myclient', None, ("rsa", 1024)) + gimmecert.commands.client(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myclient', None, key_specification) private_key = gimmecert.storage.read_private_key(private_key_file.strpath) + public_key = private_key.public_key() + public_key_specification = gimmecert.crypto.key_specification_from_public_key(public_key) - assert private_key.key_size == 1024 + assert public_key_specification == key_specification -def test_renew_generates_new_private_key_with_different_size_if_requested(gctmpdir): +@pytest.mark.parametrize("key_specification", [ + ("rsa", 1024), + ("rsa", 3072), + ("ecdsa", ec.SECP192R1), + ("ecdsa", ec.SECP384R1), +]) +def test_renew_generates_new_private_key_with_passed_in_algorithm_if_requested(gctmpdir, key_specification): private_key_file = gctmpdir.join('.gimmecert', 'server', 'myserver.key.pem') # Should produce 2048-bit RSA key (default from hierarchy). gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, None) - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, None, None, ("rsa", 1024)) - private_key_size_after_renewal = gimmecert.storage.read_private_key(private_key_file.strpath).key_size + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, None, None, key_specification) + + private_key = gimmecert.storage.read_private_key(private_key_file.strpath) + public_key = private_key.public_key() + public_key_specification = gimmecert.crypto.key_specification_from_public_key(public_key) - assert private_key_size_after_renewal == 1024 + assert public_key_specification == key_specification @pytest.mark.parametrize("key_specification", [