CA certificates are allowed to sign OCSP responsed without OCSP_SIGNER flag

author Martin Willi <martin@strongswan.org>

Thu, 20 Mar 2008 07:21:44 +0000 (07:21 -0000)

committer Martin Willi <martin@strongswan.org>

Thu, 20 Mar 2008 07:21:44 +0000 (07:21 -0000)
author Martin Willi <martin@strongswan.org>
Thu, 20 Mar 2008 07:21:44 +0000 (07:21 -0000)
committer Martin Willi <martin@strongswan.org>
Thu, 20 Mar 2008 07:21:44 +0000 (07:21 -0000)
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c

index 565ab82abf24ea0daacab0e8d54a2dfcd0aa755b..cf1de6b4eb4d99d47b95e167c569b2f4ba906cf3 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -680,7 +680,8 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer,
                                 return FALSE;
                 }
         }
-       if (!(x509->get_flags(x509) & X509_OCSP_SIGNER))
+       if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
+               !(x509->get_flags(x509) & X509_CA))
         {
                 return FALSE;
         }
author	Martin Willi <martin@strongswan.org>
	Thu, 20 Mar 2008 07:21:44 +0000 (07:21 -0000)
committer	Martin Willi <martin@strongswan.org>
	Thu, 20 Mar 2008 07:21:44 +0000 (07:21 -0000)