From: Martin Willi <martin@revosec.ch>
Date: Fri, 3 Dec 2010 12:51:51 +0000 (+0100)
Subject: CRLSign keyUsage or CA basicConstraint are sufficient for CRL validation
X-Git-Tag: 4.5.1~214
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dffb176f2bc09ec1323f60a04f342391a3ab6dad;p=thirdparty%2Fstrongswan.git

CRLSign keyUsage or CA basicConstraint are sufficient for CRL validation
---

diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 4bd0470d36..9a0010299f 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -388,7 +388,7 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	if (!(x509->get_flags(x509) & X509_CA))
+	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
 	{
 		return FALSE;
 	}
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 24bf9123fd..87d585363a 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -262,9 +262,9 @@ static int sign_crl()
 		goto error;
 	}
 	x509 = (x509_t*)ca;
-	if (!(x509->get_flags(x509) & X509_CA))
+	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
 	{
-		error = "CA certificate misses CA basicConstraint";
+		error = "CA certificate misses CA basicConstraint / CRLSign keyUsage";
 		goto error;
 	}
 	public = ca->get_public_key(ca);