summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ipalib/x509.py26
-rw-r--r--ipaserver/plugins/host.py4
-rw-r--r--ipaserver/plugins/service.py4
-rw-r--r--ipatests/test_xmlrpc/xmlrpc_test.py3
4 files changed, 1 insertions, 36 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 7903441c5..82194922d 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -74,14 +74,6 @@ def subject_base():
return _subject_base
-def valid_issuer(issuer):
- if not api.Command.ca_is_enabled()['result']:
- return True
- # Handle all supported forms of issuer -- currently dogtag only.
- if api.env.ra_plugin == 'dogtag':
- return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base())
- return True
-
def strip_header(pem):
"""
Remove the header and footer from a certificate.
@@ -357,24 +349,6 @@ def write_certificate_list(rawcerts, filename):
except (IOError, OSError) as e:
raise errors.FileError(reason=str(e))
-def verify_cert_subject(ldap, hostname, dercert):
- """
- Verify that the certificate issuer we're adding matches the issuer
- base of our installation.
-
- This assumes the certificate has already been normalized.
-
- This raises an exception on errors and returns nothing otherwise.
- """
- nsscert = load_certificate(dercert, datatype=DER)
- subject = str(nsscert.subject)
- issuer = str(nsscert.issuer)
- del(nsscert)
-
- if (not valid_issuer(issuer)):
- raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
- {'issuer' : issuer})
-
class _Extension(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('extnID', univ.ObjectIdentifier()),
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 709b78d5b..e59e0fa93 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -657,8 +657,6 @@ class host_add(LDAPCreate):
setattr(context, 'randompassword', entry_attrs['userpassword'])
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
- for cert in certs_der:
- x509.verify_cert_subject(ldap, keys[-1], cert)
entry_attrs['usercertificate'] = certs_der
entry_attrs['managedby'] = dn
entry_attrs['objectclass'].append('ieee802device')
@@ -869,8 +867,6 @@ class host_mod(LDAPUpdate):
# verify certificates
certs = entry_attrs.get('usercertificate') or []
certs_der = [x509.normalize_certificate(c) for c in certs]
- for cert in certs_der:
- x509.verify_cert_subject(ldap, keys[-1], cert)
# revoke removed certificates
if certs and self.api.Command.ca_is_enabled()['result']:
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 7e3735583..80cf39350 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -566,8 +566,6 @@ class service_add(LDAPCreate):
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
- for dercert in certs_der:
- x509.verify_cert_subject(ldap, hostname, dercert)
entry_attrs['usercertificate'] = certs_der
if not options.get('force', False):
@@ -642,8 +640,6 @@ class service_mod(LDAPUpdate):
# verify certificates
certs = entry_attrs.get('usercertificate') or []
certs_der = [x509.normalize_certificate(c) for c in certs]
- for dercert in certs_der:
- x509.verify_cert_subject(ldap, hostname, dercert)
# revoke removed certificates
if certs and self.api.Command.ca_is_enabled()['result']:
try:
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index 0e326e1fa..c3bba9abf 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -30,7 +30,6 @@ import six
from ipatests.util import assert_deepequal, Fuzzy
from ipalib import api, request, errors
-from ipalib.x509 import valid_issuer
from ipapython.version import API_VERSION
@@ -91,7 +90,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_typ
# Matches a date, like Tue Apr 26 17:45:35 2016 UTC
fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
-fuzzy_issuer = Fuzzy(type=six.string_types, test=lambda issuer: valid_issuer(issuer))
+fuzzy_issuer = Fuzzy(type=six.string_types)
fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=six.string_types)