FTS-1700: Match FTS delegated proxy bit length with client certificate bit length

53a92a5e · Joao Pedro Lopes · 77525a3c · 53a92a5e
Commit 53a92a5e authored May 27, 2021 by Joao Pedro Lopes
--- a/src/fts3rest/fts3rest/controllers/delegation.py
+++ b/src/fts3rest/fts3rest/controllers/delegation.py
@@ -65,14 +65,17 @@ def _populated_x509_name(components):
    return x509_name


-def _generate_proxy_request():
+def _generate_proxy_request(key_len=2048):
    """
    Generates a X509 proxy request.
+    
+    Args:
+        key_len: Length of the RSA key in bits

    Returns:
        A tuple (X509 request, generated private key)
    """
-    key_pair = RSA.gen_key(2048, 65537, callback=_mute_callback)
+    key_pair = RSA.gen_key(key_len, 65537, callback=_mute_callback)
    pkey = EVP.PKey()
    pkey.assign_rsa(key_pair)
    x509_request = X509.Request()
@@ -282,8 +285,22 @@ class DelegationController(BaseController):
        credential_cache = Session.query(CredentialCache)\
            .get((user.delegation_id, user.user_dn))

-        if credential_cache is None or credential_cache.cert_request is None:
-            (x509_request, private_key) = _generate_proxy_request()
+        user_cert = self.certificate()
+        
+        request_key_len = 2048
+        if user_cert:
+            user_key = X509.load_cert_string(user_cert)
+            request_key_len = user_key.get_pubkey().size() * 8
+        
+        cached = credential_cache is not None and credential_cache.cert_request is not None
+        if cached:
+            cached_key_len = X509.load_request_string(credential_cache.cert_request).get_pubkey().size() * 8
+            if cached_key_len != request_key_len:
+                cached = False
+                log.debug("Invalidating cache due to key length missmatch between client and cached certificates")
+
+        if not cached:
+            (x509_request, private_key) = _generate_proxy_request(request_key_len)
            credential_cache = CredentialCache(dlg_id=user.delegation_id, dn=user.user_dn,
                                               cert_request=x509_request.as_pem(),
                                               priv_key=private_key.as_pem(cipher=None),