Skip to content

Do not crash if the authorityKeyIdentifier is not in the certificate (OpenSSLv3)

Christophe Haen requested to merge chaen/fts-rest-flask:openssl3 into develop

When running with OpenSSL3, we noticed the following exception upon delegation, that can be reproduced easily:

python -c "import fts3.rest.client.easy as fts3;ctx = fts3.Context(endpoint='https://fts3-lhcb.cern.ch:8446', ucert='/tmp/x509up_u56212',verify=False);fts3.delegate(ctx,force=True)"
Traceback (most recent call last):
  File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 282, in delegate
    x509_proxy = self._sign_request(x509_request, lifetime)
  File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 187, in _sign_request
    identifier_ext = _workaround_new_extension(
  File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 71, in _workaround_new_extension
    x509_ext_ptr = m2.x509v3_ext_conf(None, ctx, name, value)
M2Crypto.X509.X509Error: unable to get issuer keyid

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/easy/delegate.py", line 40, in delegate
    return delegator.delegate(lifetime, force, delegate_when_lifetime_lt)
  File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 291, in delegate
    raise ClientError(str(e)).with_traceback(sys.exc_info()[2])
  File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 282, in delegate
    x509_proxy = self._sign_request(x509_request, lifetime)
  File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 187, in _sign_request
    identifier_ext = _workaround_new_extension(
  File "/opt/dirac/versions/v8.1.0a7-1676534507/Linux-x86_64/lib/python3.9/site-packages/fts3/rest/client/delegator.py", line 71, in _workaround_new_extension
    x509_ext_ptr = m2.x509v3_ext_conf(None, ctx, name, value)
fts3.rest.client.exceptions.ClientError: Client error: unable to get issuer keyid

The problem is due to proxies being a grey area when it comes to Authority Key Identifier (https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1). In any case, this being a non critical extension, the sensible thing to do is probably to just skip it.

A similar PR was made against VOMS: https://github.com/italiangrid/voms/pull/113

Merge request reports