diff options
-rw-r--r-- | ipalib/x509.py | 26 | ||||
-rw-r--r-- | ipaserver/plugins/host.py | 4 | ||||
-rw-r--r-- | ipaserver/plugins/service.py | 4 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/xmlrpc_test.py | 3 |
4 files changed, 1 insertions, 36 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index 7903441c5..82194922d 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -74,14 +74,6 @@ def subject_base(): return _subject_base -def valid_issuer(issuer): - if not api.Command.ca_is_enabled()['result']: - return True - # Handle all supported forms of issuer -- currently dogtag only. - if api.env.ra_plugin == 'dogtag': - return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base()) - return True - def strip_header(pem): """ Remove the header and footer from a certificate. @@ -357,24 +349,6 @@ def write_certificate_list(rawcerts, filename): except (IOError, OSError) as e: raise errors.FileError(reason=str(e)) -def verify_cert_subject(ldap, hostname, dercert): - """ - Verify that the certificate issuer we're adding matches the issuer - base of our installation. - - This assumes the certificate has already been normalized. - - This raises an exception on errors and returns nothing otherwise. - """ - nsscert = load_certificate(dercert, datatype=DER) - subject = str(nsscert.subject) - issuer = str(nsscert.issuer) - del(nsscert) - - if (not valid_issuer(issuer)): - raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \ - {'issuer' : issuer}) - class _Extension(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('extnID', univ.ObjectIdentifier()), diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 709b78d5b..e59e0fa93 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -657,8 +657,6 @@ class host_add(LDAPCreate): setattr(context, 'randompassword', entry_attrs['userpassword']) certs = options.get('usercertificate', []) certs_der = [x509.normalize_certificate(c) for c in certs] - for cert in certs_der: - x509.verify_cert_subject(ldap, keys[-1], cert) entry_attrs['usercertificate'] = certs_der entry_attrs['managedby'] = dn entry_attrs['objectclass'].append('ieee802device') @@ -869,8 +867,6 @@ class host_mod(LDAPUpdate): # verify certificates certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] - for cert in certs_der: - x509.verify_cert_subject(ldap, keys[-1], cert) # revoke removed certificates if certs and self.api.Command.ca_is_enabled()['result']: diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 7e3735583..80cf39350 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -566,8 +566,6 @@ class service_add(LDAPCreate): certs = options.get('usercertificate', []) certs_der = [x509.normalize_certificate(c) for c in certs] - for dercert in certs_der: - x509.verify_cert_subject(ldap, hostname, dercert) entry_attrs['usercertificate'] = certs_der if not options.get('force', False): @@ -642,8 +640,6 @@ class service_mod(LDAPUpdate): # verify certificates certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] - for dercert in certs_der: - x509.verify_cert_subject(ldap, hostname, dercert) # revoke removed certificates if certs and self.api.Command.ca_is_enabled()['result']: try: diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py index 0e326e1fa..c3bba9abf 100644 --- a/ipatests/test_xmlrpc/xmlrpc_test.py +++ b/ipatests/test_xmlrpc/xmlrpc_test.py @@ -30,7 +30,6 @@ import six from ipatests.util import assert_deepequal, Fuzzy from ipalib import api, request, errors -from ipalib.x509 import valid_issuer from ipapython.version import API_VERSION @@ -91,7 +90,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_typ # Matches a date, like Tue Apr 26 17:45:35 2016 UTC fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$') -fuzzy_issuer = Fuzzy(type=six.string_types, test=lambda issuer: valid_issuer(issuer)) +fuzzy_issuer = Fuzzy(type=six.string_types) fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=six.string_types) |