diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-03 14:01:49 +1000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-06 08:58:01 +0200 |
commit | fa149cff86a67ebfe2739df6467a6e10e47742cd (patch) | |
tree | 9887c23afd822b69b71a901cd81e3834b1ce6532 /ipalib | |
parent | 2026677635c6d4b086670cb9d8f3570bd1b95c27 (diff) | |
download | freeipa-fa149cff86a67ebfe2739df6467a6e10e47742cd.tar.gz freeipa-fa149cff86a67ebfe2739df6467a6e10e47742cd.tar.xz freeipa-fa149cff86a67ebfe2739df6467a6e10e47742cd.zip |
Remove service and host cert issuer validation
When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA. Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives. Remove it and update call sites.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/x509.py | 26 |
1 files changed, 0 insertions, 26 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index 7903441c5..82194922d 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -74,14 +74,6 @@ def subject_base(): return _subject_base -def valid_issuer(issuer): - if not api.Command.ca_is_enabled()['result']: - return True - # Handle all supported forms of issuer -- currently dogtag only. - if api.env.ra_plugin == 'dogtag': - return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base()) - return True - def strip_header(pem): """ Remove the header and footer from a certificate. @@ -357,24 +349,6 @@ def write_certificate_list(rawcerts, filename): except (IOError, OSError) as e: raise errors.FileError(reason=str(e)) -def verify_cert_subject(ldap, hostname, dercert): - """ - Verify that the certificate issuer we're adding matches the issuer - base of our installation. - - This assumes the certificate has already been normalized. - - This raises an exception on errors and returns nothing otherwise. - """ - nsscert = load_certificate(dercert, datatype=DER) - subject = str(nsscert.subject) - issuer = str(nsscert.issuer) - del(nsscert) - - if (not valid_issuer(issuer)): - raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \ - {'issuer' : issuer}) - class _Extension(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('extnID', univ.ObjectIdentifier()), |