CRLSign keyUsage or CA basicConstraint are sufficient for CRL validation

author Martin Willi <martin@revosec.ch>

Fri, 3 Dec 2010 12:51:51 +0000 (13:51 +0100)

committer Martin Willi <martin@revosec.ch>

Wed, 5 Jan 2011 15:45:56 +0000 (16:45 +0100)
author Martin Willi <martin@revosec.ch>
Fri, 3 Dec 2010 12:51:51 +0000 (13:51 +0100)
committer Martin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:45:56 +0000 (16:45 +0100)
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c

index 4bd0470d36e958af3e7a813494f8b7794d77dbb9..9a0010299fec7ed06273cf630d5958ea3a384b11 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -388,7 +388,7 @@ METHOD(certificate_t, issued_by, bool,
         {
                 return FALSE;
         }
-       if (!(x509->get_flags(x509) & X509_CA))
+       if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
         {
                 return FALSE;
         }
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c

index 24bf9123fd32c7e3076f0f48ea774dc71a5637b3..87d585363aa77e8d0ec6600162fbc8f6d9c859e4 100644 (file)
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -262,9 +262,9 @@ static int sign_crl()
                 goto error;
         }
         x509 = (x509_t*)ca;
-       if (!(x509->get_flags(x509) & X509_CA))
+       if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
         {
-               error = "CA certificate misses CA basicConstraint";
+               error = "CA certificate misses CA basicConstraint / CRLSign keyUsage";
                 goto error;
         }
         public = ca->get_public_key(ca);
author	Martin Willi <martin@revosec.ch>
	Fri, 3 Dec 2010 12:51:51 +0000 (13:51 +0100)
committer	Martin Willi <martin@revosec.ch>
	Wed, 5 Jan 2011 15:45:56 +0000 (16:45 +0100)
src/libstrongswan/plugins/x509/x509_crl.c		patch \| blob \| blame \| history
src/pki/commands/signcrl.c		patch \| blob \| blame \| history