diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-03 14:01:49 +1000 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-06 08:58:01 +0200 |
| commit | fa149cff86a67ebfe2739df6467a6e10e47742cd (patch) | |
| tree | 9887c23afd822b69b71a901cd81e3834b1ce6532 /ipaserver/plugins/service.py | |
| parent | 2026677635c6d4b086670cb9d8f3570bd1b95c27 (diff) | |
| download | freeipa-fa149cff86a67ebfe2739df6467a6e10e47742cd.tar.gz freeipa-fa149cff86a67ebfe2739df6467a6e10e47742cd.tar.xz freeipa-fa149cff86a67ebfe2739df6467a6e10e47742cd.zip | |
Remove service and host cert issuer validation
When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA. Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives. Remove it and update call sites.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/plugins/service.py')
| -rw-r--r-- | ipaserver/plugins/service.py | 4 |
1 files changed, 0 insertions, 4 deletions
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 7e3735583..80cf39350 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -566,8 +566,6 @@ class service_add(LDAPCreate): certs = options.get('usercertificate', []) certs_der = [x509.normalize_certificate(c) for c in certs] - for dercert in certs_der: - x509.verify_cert_subject(ldap, hostname, dercert) entry_attrs['usercertificate'] = certs_der if not options.get('force', False): @@ -642,8 +640,6 @@ class service_mod(LDAPUpdate): # verify certificates certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] - for dercert in certs_der: - x509.verify_cert_subject(ldap, hostname, dercert) # revoke removed certificates if certs and self.api.Command.ca_is_enabled()['result']: try: |