[Freeipa-devel] [PATCH] 0065 Remove service and host cert issuer validation
Fraser Tweedale
ftweedal at redhat.com
Fri Jun 3 05:15:59 UTC 2016
The attached patch enables cert issuance to hosts and services using
sub-CAs.
Thanks,
Fraser
-------------- next part --------------
From 3432c6322d823dd53a477a6c37021bfe4fbb11b3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 3 Jun 2016 14:01:49 +1000
Subject: [PATCH] Remove service and host cert issuer validation
When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA. Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives. Remove it and update call sites.
Part of: https://fedorahosted.org/freeipa/ticket/4559
---
ipalib/plugins/host.py | 4 ----
ipalib/plugins/service.py | 4 ----
ipalib/x509.py | 26 --------------------------
ipatests/test_xmlrpc/xmlrpc_test.py | 3 +--
4 files changed, 1 insertion(+), 36 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 4cd08ebb2f507faa3fd193b323ac3d196fc4895d..9fa38ecaf03b857aa62acbbde84669f68b90233f 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -657,8 +657,6 @@ class host_add(LDAPCreate):
setattr(context, 'randompassword', entry_attrs['userpassword'])
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
- for cert in certs_der:
- x509.verify_cert_subject(ldap, keys[-1], cert)
entry_attrs['usercertificate'] = certs_der
entry_attrs['managedby'] = dn
entry_attrs['objectclass'].append('ieee802device')
@@ -869,8 +867,6 @@ class host_mod(LDAPUpdate):
# verify certificates
certs = entry_attrs.get('usercertificate') or []
certs_der = [x509.normalize_certificate(c) for c in certs]
- for cert in certs_der:
- x509.verify_cert_subject(ldap, keys[-1], cert)
# revoke removed certificates
if certs and self.api.Command.ca_is_enabled()['result']:
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index ec2071b873013513240a480c26c92d477f995c18..6f73dcd989a444a75fd11fb8030884556875671a 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -566,8 +566,6 @@ class service_add(LDAPCreate):
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
- for dercert in certs_der:
- x509.verify_cert_subject(ldap, hostname, dercert)
entry_attrs['usercertificate'] = certs_der
if not options.get('force', False):
@@ -642,8 +640,6 @@ class service_mod(LDAPUpdate):
# verify certificates
certs = entry_attrs.get('usercertificate') or []
certs_der = [x509.normalize_certificate(c) for c in certs]
- for dercert in certs_der:
- x509.verify_cert_subject(ldap, hostname, dercert)
# revoke removed certificates
if certs and self.api.Command.ca_is_enabled()['result']:
try:
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 7903441c550eea74a99595026918f3f0b7d35851..82194922d151a1b0f2df03df3578ad45b43b71c9 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -74,14 +74,6 @@ def subject_base():
return _subject_base
-def valid_issuer(issuer):
- if not api.Command.ca_is_enabled()['result']:
- return True
- # Handle all supported forms of issuer -- currently dogtag only.
- if api.env.ra_plugin == 'dogtag':
- return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base())
- return True
-
def strip_header(pem):
"""
Remove the header and footer from a certificate.
@@ -357,24 +349,6 @@ def write_certificate_list(rawcerts, filename):
except (IOError, OSError) as e:
raise errors.FileError(reason=str(e))
-def verify_cert_subject(ldap, hostname, dercert):
- """
- Verify that the certificate issuer we're adding matches the issuer
- base of our installation.
-
- This assumes the certificate has already been normalized.
-
- This raises an exception on errors and returns nothing otherwise.
- """
- nsscert = load_certificate(dercert, datatype=DER)
- subject = str(nsscert.subject)
- issuer = str(nsscert.issuer)
- del(nsscert)
-
- if (not valid_issuer(issuer)):
- raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
- {'issuer' : issuer})
-
class _Extension(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('extnID', univ.ObjectIdentifier()),
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index 4052ab91868b0f0e2400b6533e5adba3fe72200d..36c6060f9d693d02cd896efe569c30f9788525e9 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -30,7 +30,6 @@ import six
from ipatests.util import assert_deepequal, Fuzzy
from ipalib import api, request, errors
-from ipalib.x509 import valid_issuer
from ipapython.version import API_VERSION
@@ -91,7 +90,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_typ
# Matches a date, like Tue Apr 26 17:45:35 2016 UTC
fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
-fuzzy_issuer = Fuzzy(type=six.string_types, test=lambda issuer: valid_issuer(issuer))
+fuzzy_issuer = Fuzzy(type=six.string_types)
fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=six.string_types)
--
2.5.5
More information about the Freeipa-devel
mailing list