From: Tobias Brunner Date: Fri, 24 Mar 2023 16:34:05 +0000 (+0100) Subject: Merge branch 'crl-sign' X-Git-Tag: 5.9.11dr1~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7dc82dea34167c1585a95f38b532e11a67a53ee8;p=thirdparty%2Fstrongswan.git Merge branch 'crl-sign' Enforces that the certificate that signed a CRL either encodes the cRLSign keyUsage (even if it is a CA certificate) or is a CA certificate without a keyUsage extension (which should rarely be the case nowadays). This is in compliance with RFC 5280, section 6.3.3. (f): If a key usage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set. strongSwan encodes a keyUsage extension with cRLSign bit set in all CA certificates it generates since 1ec8f22de222 ("set Certificate Sign and CRL Sign flags in keyUsage extension if CA is true"), which was 13 years ago. Before that the extension was not encoded so those CA certificates would also still be accepted as CRL issuer (if they are still valid, but considering the SHA-1 deprecation that happened since then, they were most likely replaced anyway). References strongswan/strongswan#1548 --- 7dc82dea34167c1585a95f38b532e11a67a53ee8