From fa149cff86a67ebfe2739df6467a6e10e47742cd Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 3 Jun 2016 14:01:49 +1000
Subject: Remove service and host cert issuer validation

When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA.  Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives.  Remove it and update call sites.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/host.py | 4 ----
 1 file changed, 4 deletions(-)

(limited to 'ipaserver/plugins/host.py')

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 709b78d5b..e59e0fa93 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -657,8 +657,6 @@ class host_add(LDAPCreate):
             setattr(context, 'randompassword', entry_attrs['userpassword'])
         certs = options.get('usercertificate', [])
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for cert in certs_der:
-            x509.verify_cert_subject(ldap, keys[-1], cert)
         entry_attrs['usercertificate'] = certs_der
         entry_attrs['managedby'] = dn
         entry_attrs['objectclass'].append('ieee802device')
@@ -869,8 +867,6 @@ class host_mod(LDAPUpdate):
         # verify certificates
         certs = entry_attrs.get('usercertificate') or []
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for cert in certs_der:
-            x509.verify_cert_subject(ldap, keys[-1], cert)
 
         # revoke removed certificates
         if certs and self.api.Command.ca_is_enabled()['result']:
-- 
cgit