def test_generating_ca_cert__existing_key(self):
call_command('initialize_root_ca')
# remove cert
stored_ca_cert = load_ca_cert()
os.remove(TEST_CA_CERT_PATH)
# call command again with existing key
call_command('initialize_root_ca')
new_ca_cert = load_ca_cert()
self.assertEqual(stored_ca_cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.PKCS1).decode(),
new_ca_cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.PKCS1).decode())
def test_loading_ca_cert(self):
ca_key = _generate_private_key()
ca_cert = _generate_root_ca_cert(ca_key)
with patch('scionlab.openvpn_config._generate_root_ca_cert', return_value=ca_cert):
call_command('initialize_root_ca')
stored_ca_cert = load_ca_cert()
self.assertEqual(ca_cert.public_bytes(serialization.Encoding.PEM).decode(),
stored_ca_cert.public_bytes(serialization.Encoding.PEM).decode())
def test_generate_certs(self):
attachment_point = AttachmentPoint.objects.first()
user_as = create_user_as(attachment_point)
vpn_client = user_as.hosts.first().vpn_clients.first()
config = generate_vpn_client_config(vpn_client)
# check ca cert
ca_cert_string_match = re.findall('<ca>\n(.*?)\n</ca>',
config,
flags=re.DOTALL)
self.assertTrue(len(ca_cert_string_match) == 1)
ca_cert = ca_cert_string_match[0]
config_ca_cert = x509.load_pem_x509_certificate(
ca_cert.encode(), backend=default_backend())
self.assertEqual(
load_ca_cert().public_bytes(serialization.Encoding.PEM).decode(),
config_ca_cert.public_bytes(serialization.Encoding.PEM).decode())
# check client cert
client_cert_string_match = re.findall('<cert>\n(.*?)\n</cert>',
config,
flags=re.DOTALL)
self.assertTrue(len(client_cert_string_match) == 1)
client_cert = client_cert_string_match[0]
config_client_cert = x509.load_pem_x509_certificate(
client_cert.encode(), backend=default_backend())
self.assertEqual(
vpn_client.cert,
config_client_cert.public_bytes(
serialization.Encoding.PEM).decode())
# check client key
client_key_string_match = re.findall('<key>\n(.*?)\n</key>',
config,
flags=re.DOTALL)
self.assertTrue(len(client_key_string_match) == 1)
client_key = client_key_string_match[0]
config_client_key = serialization.load_pem_private_key(
client_key.encode(), password=None, backend=default_backend())
self.assertEqual(
vpn_client.private_key,
config_client_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()).decode())
# check public key for private key matches public key in certificate
self.assertEqual(
config_client_cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.PKCS1).decode(),
config_client_key.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.PKCS1).decode())