break;
}
}
- if (!check_certificate(this, current, issuer, online, pathlen,
- current == subject ? auth : NULL))
+ if (!check_certificate(this, current, issuer, online, pathlen, auth))
{
trusted = FALSE;
issuer->destroy(issuer);
/**
* Check certificatePolicies
*/
-static bool check_policy(x509_t *subject, x509_t *issuer, auth_cfg_t *auth)
+static bool check_policy(x509_t *subject, x509_t *issuer, int pathlen,
+ auth_cfg_t *auth)
{
certificate_t *cert = (certificate_t*)subject;
x509_policy_mapping_t *mapping;
enumerator->destroy(enumerator);
return FALSE;
}
- if (auth)
+ if (pathlen == 0)
{
oid = asn1_oid_to_string(policy->oid);
if (oid)
{
return FALSE;
}
- if (!check_policy((x509_t*)subject, (x509_t*)issuer, auth))
+ if (!check_policy((x509_t*)subject, (x509_t*)issuer, pathlen, auth))
{
return FALSE;
}
{
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
- switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
+ switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+ pathlen ? NULL : auth))
{
case VALIDATION_GOOD:
DBG1(DBG_CFG, "certificate status is good");
DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
break;
}
- switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
+ switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+ pathlen ? NULL : auth))
{
case VALIDATION_GOOD:
DBG1(DBG_CFG, "certificate status is good");
projects / thirdparty / strongswan.git / commitdiff
