certdb: validate certificate signatures
When verifying a CA certificate, validate its signature. This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes. The '-e' option to 'certutil -V' was the
missing ingredient.
An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test. With this change,
ipa-cacert-manage will reject the certificate:
# ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
Importing the renewed CA certificate, please wait
CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
certificate was signed using a signature algorithm that is
disabled because it is not secure.
Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>