Remove service and host cert issuer validation

When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA.  Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives.  Remove it and update call sites.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 0 insertions, 26 deletions

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 7903441c5..82194922d 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -74,14 +74,6 @@ def subject_base():
 
     return _subject_base
 
-def valid_issuer(issuer):
-    if not api.Command.ca_is_enabled()['result']:
-        return True
-    # Handle all supported forms of issuer -- currently dogtag only.
-    if api.env.ra_plugin == 'dogtag':
-        return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base())
-    return True
-
 def strip_header(pem):
     """
     Remove the header and footer from a certificate.
@@ -357,24 +349,6 @@ def write_certificate_list(rawcerts, filename):
     except (IOError, OSError) as e:
         raise errors.FileError(reason=str(e))
 
-def verify_cert_subject(ldap, hostname, dercert):
-    """
-    Verify that the certificate issuer we're adding matches the issuer
-    base of our installation.
-
-    This assumes the certificate has already been normalized.
-
-    This raises an exception on errors and returns nothing otherwise.
-    """
-    nsscert = load_certificate(dercert, datatype=DER)
-    subject = str(nsscert.subject)
-    issuer = str(nsscert.issuer)
-    del(nsscert)
-
-    if (not valid_issuer(issuer)):
-        raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
-        {'issuer' : issuer})
-
 class _Extension(univ.Sequence):
     componentType = namedtype.NamedTypes(
         namedtype.NamedType('extnID', univ.ObjectIdentifier()),