From fa149cff86a67ebfe2739df6467a6e10e47742cd Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 3 Jun 2016 14:01:49 +1000
Subject: Remove service and host cert issuer validation

When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA.  Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives.  Remove it and update call sites.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/x509.py                      | 26 --------------------------
 ipaserver/plugins/host.py           |  4 ----
 ipaserver/plugins/service.py        |  4 ----
 ipatests/test_xmlrpc/xmlrpc_test.py |  3 +--
 4 files changed, 1 insertion(+), 36 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 7903441c5..82194922d 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -74,14 +74,6 @@ def subject_base():
 
     return _subject_base
 
-def valid_issuer(issuer):
-    if not api.Command.ca_is_enabled()['result']:
-        return True
-    # Handle all supported forms of issuer -- currently dogtag only.
-    if api.env.ra_plugin == 'dogtag':
-        return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base())
-    return True
-
 def strip_header(pem):
     """
     Remove the header and footer from a certificate.
@@ -357,24 +349,6 @@ def write_certificate_list(rawcerts, filename):
     except (IOError, OSError) as e:
         raise errors.FileError(reason=str(e))
 
-def verify_cert_subject(ldap, hostname, dercert):
-    """
-    Verify that the certificate issuer we're adding matches the issuer
-    base of our installation.
-
-    This assumes the certificate has already been normalized.
-
-    This raises an exception on errors and returns nothing otherwise.
-    """
-    nsscert = load_certificate(dercert, datatype=DER)
-    subject = str(nsscert.subject)
-    issuer = str(nsscert.issuer)
-    del(nsscert)
-
-    if (not valid_issuer(issuer)):
-        raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
-        {'issuer' : issuer})
-
 class _Extension(univ.Sequence):
     componentType = namedtype.NamedTypes(
         namedtype.NamedType('extnID', univ.ObjectIdentifier()),
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 709b78d5b..e59e0fa93 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -657,8 +657,6 @@ class host_add(LDAPCreate):
             setattr(context, 'randompassword', entry_attrs['userpassword'])
         certs = options.get('usercertificate', [])
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for cert in certs_der:
-            x509.verify_cert_subject(ldap, keys[-1], cert)
         entry_attrs['usercertificate'] = certs_der
         entry_attrs['managedby'] = dn
         entry_attrs['objectclass'].append('ieee802device')
@@ -869,8 +867,6 @@ class host_mod(LDAPUpdate):
         # verify certificates
         certs = entry_attrs.get('usercertificate') or []
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for cert in certs_der:
-            x509.verify_cert_subject(ldap, keys[-1], cert)
 
         # revoke removed certificates
         if certs and self.api.Command.ca_is_enabled()['result']:
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 7e3735583..80cf39350 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -566,8 +566,6 @@ class service_add(LDAPCreate):
 
         certs = options.get('usercertificate', [])
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for dercert in certs_der:
-            x509.verify_cert_subject(ldap, hostname, dercert)
         entry_attrs['usercertificate'] = certs_der
 
         if not options.get('force', False):
@@ -642,8 +640,6 @@ class service_mod(LDAPUpdate):
         # verify certificates
         certs = entry_attrs.get('usercertificate') or []
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for dercert in certs_der:
-            x509.verify_cert_subject(ldap, hostname, dercert)
         # revoke removed certificates
         if certs and self.api.Command.ca_is_enabled()['result']:
             try:
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index 0e326e1fa..c3bba9abf 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -30,7 +30,6 @@ import six
 
 from ipatests.util import assert_deepequal, Fuzzy
 from ipalib import api, request, errors
-from ipalib.x509 import valid_issuer
 from ipapython.version import API_VERSION
 
 
@@ -91,7 +90,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_typ
 # Matches a date, like Tue Apr 26 17:45:35 2016 UTC
 fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
 
-fuzzy_issuer = Fuzzy(type=six.string_types, test=lambda issuer: valid_issuer(issuer))
+fuzzy_issuer = Fuzzy(type=six.string_types)
 
 fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=six.string_types)
 
-- 
cgit