feat: verify incoming CSR subject matches what we expect

rambo · rambo · commit e24d83285490 · 2025-05-17T13:25:00.000+03:00
diff --git a/src/rasenmaeher_api/db/enrollments.py b/src/rasenmaeher_api/db/enrollments.py
@@ -18,6 +18,7 @@
 from .errors import ForbiddenOperation, CallsignReserved, NotFound, Deleted, PoolInactive
 from ..rmsettings import RMSettings
 from .engine import EngineWrapper
+from ..web.api.utils.csr_utils import verify_csr
 
 LOGGER = logging.getLogger(__name__)
 CODE_ALPHABET = string.ascii_uppercase + string.digits
@@ -283,7 +284,8 @@ async def create_for_callsign(
         """Create a new one with random code for the callsign"""
         if callsign in RMSettings.singleton().valid_product_cns:
             raise CallsignReserved("Using product CNs as callsigns is forbidden")
-        # FIXME: Verify the CSR has the callsign as CN
+        if csr and not verify_csr(csr, callsign):
+            raise CallsignReserved("CSR CN must match callsign")
         with EngineWrapper.get_session() as session:
             try:
                 await Enrollment.by_callsign(callsign)
diff --git a/src/rasenmaeher_api/db/people.py b/src/rasenmaeher_api/db/people.py
@@ -28,6 +28,7 @@
 from ..rmsettings import RMSettings
 from ..kchelpers import KCClient, KCUserData
 from .engine import EngineWrapper
+from ..web.api.utils.csr_utils import verify_csr
 
 LOGGER = logging.getLogger(__name__)
 
@@ -94,7 +95,8 @@ async def create_with_cert(
         cls, callsign: str, extra: Optional[Dict[str, Any]] = None, csrpem: Optional[str] = None
     ) -> "Person":
         """Create the cert etc and save the person"""
-        # FIXME: Verify the CSR has the callsign as CN
+        if csrpem and not verify_csr(csrpem, callsign):
+            raise CallsignReserved("CSR CN must match callsign")
         cnf = RMSettings.singleton()
         if callsign in cnf.valid_product_cns:
             raise CallsignReserved("Using product CNs as callsigns is forbidden")
diff --git a/src/rasenmaeher_api/web/api/utils/csr_utils.py b/src/rasenmaeher_api/web/api/utils/csr_utils.py
@@ -0,0 +1,23 @@
+"""Utils for checking CSR:s etc"""
+
+from cryptography import x509
+from libadvian.binpackers import ensure_utf8
+
+from rasenmaeher_api.web.api.utils.views import LOGGER
+
+
+# FIXME: This should be part of libpvarki
+
+
+def verify_csr(csrpem: str, callsign: str) -> bool:
+    """Verify CSR matches our rules for CN/DN for the given callsign"""
+    csr = x509.load_pem_x509_csr(ensure_utf8(csrpem))
+    dn = csr.subject.rfc4514_string()
+    LOGGER.debug("DN={} callsign={}".format(dn, callsign))
+    if f"CN={callsign}" not in dn:
+        LOGGER.warning("Callsign does not match CSR subject. DN={} callsign={}".format(dn, callsign))
+        return False
+    # TODO: check that keyusages in the CSR are fine
+    #       crypto.X509Extension(b"keyUsage", True, b"digitalSignature,nonRepudiation,keyEncipherment"),
+    #       crypto.X509Extension(b"extendedKeyUsage", True, b"clientAuth"),
+    return True
