Commit 53a92a5e authored by Joao Pedro Lopes's avatar Joao Pedro Lopes
Browse files

FTS-1700: Match FTS delegated proxy bit length with client certificate bit length

parent 77525a3c
Pipeline #2654682 passed with stage
in 2 minutes and 30 seconds
......@@ -65,14 +65,17 @@ def _populated_x509_name(components):
return x509_name
def _generate_proxy_request():
def _generate_proxy_request(key_len=2048):
"""
Generates a X509 proxy request.
Args:
key_len: Length of the RSA key in bits
Returns:
A tuple (X509 request, generated private key)
"""
key_pair = RSA.gen_key(2048, 65537, callback=_mute_callback)
key_pair = RSA.gen_key(key_len, 65537, callback=_mute_callback)
pkey = EVP.PKey()
pkey.assign_rsa(key_pair)
x509_request = X509.Request()
......@@ -282,8 +285,22 @@ class DelegationController(BaseController):
credential_cache = Session.query(CredentialCache)\
.get((user.delegation_id, user.user_dn))
if credential_cache is None or credential_cache.cert_request is None:
(x509_request, private_key) = _generate_proxy_request()
user_cert = self.certificate()
request_key_len = 2048
if user_cert:
user_key = X509.load_cert_string(user_cert)
request_key_len = user_key.get_pubkey().size() * 8
cached = credential_cache is not None and credential_cache.cert_request is not None
if cached:
cached_key_len = X509.load_request_string(credential_cache.cert_request).get_pubkey().size() * 8
if cached_key_len != request_key_len:
cached = False
log.debug("Invalidating cache due to key length missmatch between client and cached certificates")
if not cached:
(x509_request, private_key) = _generate_proxy_request(request_key_len)
credential_cache = CredentialCache(dlg_id=user.delegation_id, dn=user.user_dn,
cert_request=x509_request.as_pem(),
priv_key=private_key.as_pem(cipher=None),
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment