Remove service and host cert issuer validation

When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA.  Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives.  Remove it and update call sites.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 0 insertions, 4 deletions

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 709b78d5b..e59e0fa93 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -657,8 +657,6 @@ class host_add(LDAPCreate):
             setattr(context, 'randompassword', entry_attrs['userpassword'])
         certs = options.get('usercertificate', [])
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for cert in certs_der:
-            x509.verify_cert_subject(ldap, keys[-1], cert)
         entry_attrs['usercertificate'] = certs_der
         entry_attrs['managedby'] = dn
         entry_attrs['objectclass'].append('ieee802device')
@@ -869,8 +867,6 @@ class host_mod(LDAPUpdate):
         # verify certificates
         certs = entry_attrs.get('usercertificate') or []
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for cert in certs_der:
-            x509.verify_cert_subject(ldap, keys[-1], cert)
 
         # revoke removed certificates
         if certs and self.api.Command.ca_is_enabled()['result']: