[Freeipa-devel] [PATCH] 0065 Remove service and host cert issuer validation

Fraser Tweedale ftweedal at redhat.com
Fri Jun 3 05:15:59 UTC 2016 

The attached patch enables cert issuance to hosts and services using
sub-CAs.

Thanks,
Fraser
-------------- next part --------------
From 3432c6322d823dd53a477a6c37021bfe4fbb11b3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 3 Jun 2016 14:01:49 +1000
Subject: [PATCH] Remove service and host cert issuer validation

When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA.  Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives.  Remove it and update call sites.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 ipalib/plugins/host.py              |  4 ----
 ipalib/plugins/service.py           |  4 ----
 ipalib/x509.py                      | 26 --------------------------
 ipatests/test_xmlrpc/xmlrpc_test.py |  3 +--
 4 files changed, 1 insertion(+), 36 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 4cd08ebb2f507faa3fd193b323ac3d196fc4895d..9fa38ecaf03b857aa62acbbde84669f68b90233f 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -657,8 +657,6 @@ class host_add(LDAPCreate):
             setattr(context, 'randompassword', entry_attrs['userpassword'])
         certs = options.get('usercertificate', [])
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for cert in certs_der:
-            x509.verify_cert_subject(ldap, keys[-1], cert)
         entry_attrs['usercertificate'] = certs_der
         entry_attrs['managedby'] = dn
         entry_attrs['objectclass'].append('ieee802device')
@@ -869,8 +867,6 @@ class host_mod(LDAPUpdate):
         # verify certificates
         certs = entry_attrs.get('usercertificate') or []
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for cert in certs_der:
-            x509.verify_cert_subject(ldap, keys[-1], cert)
 
         # revoke removed certificates
         if certs and self.api.Command.ca_is_enabled()['result']:
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index ec2071b873013513240a480c26c92d477f995c18..6f73dcd989a444a75fd11fb8030884556875671a 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -566,8 +566,6 @@ class service_add(LDAPCreate):
 
         certs = options.get('usercertificate', [])
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for dercert in certs_der:
-            x509.verify_cert_subject(ldap, hostname, dercert)
         entry_attrs['usercertificate'] = certs_der
 
         if not options.get('force', False):
@@ -642,8 +640,6 @@ class service_mod(LDAPUpdate):
         # verify certificates
         certs = entry_attrs.get('usercertificate') or []
         certs_der = [x509.normalize_certificate(c) for c in certs]
-        for dercert in certs_der:
-            x509.verify_cert_subject(ldap, hostname, dercert)
         # revoke removed certificates
         if certs and self.api.Command.ca_is_enabled()['result']:
             try:
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 7903441c550eea74a99595026918f3f0b7d35851..82194922d151a1b0f2df03df3578ad45b43b71c9 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -74,14 +74,6 @@ def subject_base():
 
     return _subject_base
 
-def valid_issuer(issuer):
-    if not api.Command.ca_is_enabled()['result']:
-        return True
-    # Handle all supported forms of issuer -- currently dogtag only.
-    if api.env.ra_plugin == 'dogtag':
-        return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base())
-    return True
-
 def strip_header(pem):
     """
     Remove the header and footer from a certificate.
@@ -357,24 +349,6 @@ def write_certificate_list(rawcerts, filename):
     except (IOError, OSError) as e:
         raise errors.FileError(reason=str(e))
 
-def verify_cert_subject(ldap, hostname, dercert):
-    """
-    Verify that the certificate issuer we're adding matches the issuer
-    base of our installation.
-
-    This assumes the certificate has already been normalized.
-
-    This raises an exception on errors and returns nothing otherwise.
-    """
-    nsscert = load_certificate(dercert, datatype=DER)
-    subject = str(nsscert.subject)
-    issuer = str(nsscert.issuer)
-    del(nsscert)
-
-    if (not valid_issuer(issuer)):
-        raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
-        {'issuer' : issuer})
-
 class _Extension(univ.Sequence):
     componentType = namedtype.NamedTypes(
         namedtype.NamedType('extnID', univ.ObjectIdentifier()),
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index 4052ab91868b0f0e2400b6533e5adba3fe72200d..36c6060f9d693d02cd896efe569c30f9788525e9 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -30,7 +30,6 @@ import six
 
 from ipatests.util import assert_deepequal, Fuzzy
 from ipalib import api, request, errors
-from ipalib.x509 import valid_issuer
 from ipapython.version import API_VERSION
 
 
@@ -91,7 +90,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_typ
 # Matches a date, like Tue Apr 26 17:45:35 2016 UTC
 fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
 
-fuzzy_issuer = Fuzzy(type=six.string_types, test=lambda issuer: valid_issuer(issuer))
+fuzzy_issuer = Fuzzy(type=six.string_types)
 
 fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=six.string_types)
 
-- 
2.5.5

More information about the Freeipa-devel mailing list