]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d12a4f5)
x509: Only allow certificates with cRLSign keyUsage to sign CRLs
authorTobias Brunner <tobias@strongswan.org>
Wed, 22 Feb 2023 16:20:07 +0000 (17:20 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 21 Mar 2023 15:34:14 +0000 (16:34 +0100)
src/libstrongswan/plugins/x509/x509_crl.c patch | blob | blame | history

diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index d5221ed4ada255ff7275edc001ac12ffd9d737a3..9dbb7b5f2df425fab8e15f28318d4c5c4b3052f4 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -462,12 +462,12 @@ METHOD(certificate_t, issued_by, bool,
        x509_t *x509 = (x509_t*)issuer;
        chunk_t keyid = chunk_empty;
 
-       /* check if issuer is an X.509 CA certificate */
+       /* check if issuer is an X.509 certificate with cRLSign keyUsage bit set */
        if (issuer->get_type(issuer) != CERT_X509)
        {
                return FALSE;
        }
-       if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
+       if (!(x509->get_flags(x509) & X509_CRL_SIGN))
        {
                return FALSE;
        }
Unnamed repository; edit this file 'description' to name the repository.