certbot/acme/tests/testdata/README

In order for acme.test_util._guess_loader to work properly, make sure
to use appropriate extension for vector filenames: .pem for PEM and
.der for DER.

The following command has been used to generate test keys:

  for k in 256 512 1024 2048 4096; do openssl genrsa -out rsa${k}_key.pem $k; done

and for the CSR:

  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER > csr.der

and for the certificates:

  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der
  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 > rsa2048_cert.pem
  openssl req -key rsa1024_key.pem -new -subj '/CN=example.com' -x509 > rsa1024_cert.pem

and for the elliptic key curves:

  openssl genpkey -algorithm EC -out ec_secp384r1.pem -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve
Unified vector loading in acme. 2015-07-10 08:26:51 -04:00			`In order for acme.test_util._guess_loader to work properly, make sure`
			`to use appropriate extension for vector filenames: .pem for PEM and`
			`.der for DER.`

Fix typo 2015-03-18 10:32:43 -04:00			`The following command has been used to generate test keys:`
acme.jose: (Typed)JSONObjectWithFields, Field, JWA. 2015-03-17 11:46:27 -04:00
Fix TLS-ALPN tests with newer versions of OpenSSL (#8026) Fixes #7988. As described there, the steps involved are: 1. Update our tests so they fail due to this problem. 2. Update the keys used in the tests so they pass with the new changes. For 1, see a [failing travis run](https://travis-ci.com/github/certbot/certbot/jobs/340710511) with the included change. And for the full output to confirm that this is what is failing, see a [run on debian 10](https://github.com/certbot/certbot/files/4692350/debian_run_log.txt). This PR adds `rsa4096_key.pem` and `rsa4096_cert.pem`, updates the `TLS-ALPN` test to use those keys in place of the 1024-bit versions, and fixes the README in that `testdata` folder with correct instructions to generate these files. * export PIP_NO_BINARY in pip install subshell in test_sdists.sh * set environment variable on the line that installs most packages * Generate 4096-bit rsa key and cert, and fix README instructions to do so. * Update TLS_ALPN test to use 4096-bit key instead of 1024-bit key. * Update changelog * Older versions of Python have an error when both VIRTUAL_NO_DOWNLOAD and PIP_NO_BINARY are set, so only apply the latter at the install phase. * Add enum34 constraint manually, since rebuild_dependencies.py seems to be broken. * only delete key if it exists * Check OpenSSL version before trying to set PIP_NO_BINARY * Add comment explaining why we only set PIP_NO_BINARY at the install step 2020-06-01 18:18:38 -04:00			`for k in 256 512 1024 2048 4096; do openssl genrsa -out rsa${k}_key.pem $k; done`
acme.jose: (Typed)JSONObjectWithFields, Field, JWA. 2015-03-17 11:46:27 -04:00
			`and for the CSR:`

Update example ACME client to work with Boulder 2015-10-28 03:26:52 -04:00			`openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER > csr.der`
Move letsencrypt.network to acme.client. 2015-06-18 06:38:20 -04:00
Reimplement tls-alpn-01 in acme (#6886) This PR is the first part of work described in #6724. It reintroduces the tls-alpn-01 challenge in `acme` module, that was introduced by #5894 and reverted by #6100. The reason it was removed in the past is because some tests showed that with `1.0.2` branch of OpenSSL, the self-signed certificate containing the authorization key is sent to the requester even if the ALPN protocol `acme-tls/1` was not declared as supported by the requester during the TLS handshake. However recent discussions lead to the conclusion that this behavior was not a security issue, because first it is coherent with the behavior with servers that do not support ALPN at all, and second it cannot make a tls-alpn-01 challenge be validated in this kind of corner case. On top of the original modifications given by #5894, I merged the code to be up-to-date with our `master`, and fixed tests to match recent evolution about not displaying the `keyAuthorization` in the deserialized JSON form of an ACME challenge. I also move the logic to verify if ALPN is available on the current system, and so that the tls-alpn-01 challenge can be used, to a dedicated static function `is_available` in `acme.challenge.TLSALPN01`. This function is used in the related tests to skip them, and will be used in the future from Certbot plugins to trigger or not the logic related to tls-alpn-01, depending on the OpenSSL version available to Python. * Reimplement TLS-ALPN-01 challenge and standalone TLS-ALPN server from #5894. * Setup a class method to check if tls-alpn-01 is supported. * Add potential missing parameter in validation for tls-alpn * Improve comments * Make a class private * Handle old versions of openssl that do not terminate the handshake when they should do. * Add changelog * Explicitly close the TLS connection by the book. * Remove unused exception * Fix lint 2020-03-12 16:53:19 -04:00			`and for the certificates:`
Move letsencrypt.network to acme.client. 2015-06-18 06:38:20 -04:00
Reimplement tls-alpn-01 in acme (#6886) This PR is the first part of work described in #6724. It reintroduces the tls-alpn-01 challenge in `acme` module, that was introduced by #5894 and reverted by #6100. The reason it was removed in the past is because some tests showed that with `1.0.2` branch of OpenSSL, the self-signed certificate containing the authorization key is sent to the requester even if the ALPN protocol `acme-tls/1` was not declared as supported by the requester during the TLS handshake. However recent discussions lead to the conclusion that this behavior was not a security issue, because first it is coherent with the behavior with servers that do not support ALPN at all, and second it cannot make a tls-alpn-01 challenge be validated in this kind of corner case. On top of the original modifications given by #5894, I merged the code to be up-to-date with our `master`, and fixed tests to match recent evolution about not displaying the `keyAuthorization` in the deserialized JSON form of an ACME challenge. I also move the logic to verify if ALPN is available on the current system, and so that the tls-alpn-01 challenge can be used, to a dedicated static function `is_available` in `acme.challenge.TLSALPN01`. This function is used in the related tests to skip them, and will be used in the future from Certbot plugins to trigger or not the logic related to tls-alpn-01, depending on the OpenSSL version available to Python. * Reimplement TLS-ALPN-01 challenge and standalone TLS-ALPN server from #5894. * Setup a class method to check if tls-alpn-01 is supported. * Add potential missing parameter in validation for tls-alpn * Improve comments * Make a class private * Handle old versions of openssl that do not terminate the handshake when they should do. * Add changelog * Explicitly close the TLS connection by the book. * Remove unused exception * Fix lint 2020-03-12 16:53:19 -04:00			`openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der`
			`openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 > rsa2048_cert.pem`
			`openssl req -key rsa1024_key.pem -new -subj '/CN=example.com' -x509 > rsa1024_cert.pem`
Test coverage dns ecdsa (#9174) * Added test coverage for ES256 signing keys in DNS challenges. * pass tests * Feedback 2022-01-21 04:29:53 -05:00
			`and for the elliptic key curves:`

			`openssl genpkey -algorithm EC -out ec_secp384r1.pem -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve`