From 1493c0f4a06b4400e600626db0933dccc4c370ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Fri, 13 Apr 2018 13:11:48 +0000
Subject: [PATCH] api: Check keypair algorithm compatbility during request
 submission

---
 certidude/api/request.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/certidude/api/request.py b/certidude/api/request.py
index e2d0640..956fbfb 100644
--- a/certidude/api/request.py
+++ b/certidude/api/request.py
@@ -41,9 +41,20 @@ class RequestListResource(AuthorityHandler):
             header, _, der_bytes = pem.unarmor(body)
             csr = CertificationRequest.load(der_bytes)
         except ValueError:
+            logger.info("Malformed certificate signing request submission from %s blocked", req.context.get("remote_addr"))
             raise falcon.HTTPBadRequest(
                 "Bad request",
                 "Malformed certificate signing request")
+        else:
+            req_public_key = asymmetric.load_public_key(csr["certification_request_info"]["subject_pk_info"])
+            if self.authority.public_key.algorithm != req_public_key.algorithm:
+                logger.info("Attempt to submit %s based request from %s blocked, only %s allowed" % (
+                    req_public_key.algorithm.upper(),
+                    req.context.get("remote_addr"),
+                    self.authority.public_key.algorithm.upper()))
+                raise falcon.HTTPBadRequest(
+                    "Bad request",
+                    "Incompatible asymmetric key algorithms")
 
         common_name = csr["certification_request_info"]["subject"].native["common_name"]