From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 22 Feb 2023 16:20:07 +0000 (+0100)
Subject: x509: Only allow certificates with cRLSign keyUsage to sign CRLs
X-Git-Tag: 5.9.11dr1~3^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d1f2212119e6cc4bde26993d85370215c6daf73;p=thirdparty%2Fstrongswan.git

x509: Only allow certificates with cRLSign keyUsage to sign CRLs
---

diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index d5221ed4ad..9dbb7b5f2d 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -462,12 +462,12 @@ METHOD(certificate_t, issued_by, bool,
 	x509_t *x509 = (x509_t*)issuer;
 	chunk_t keyid = chunk_empty;
 
-	/* check if issuer is an X.509 CA certificate */
+	/* check if issuer is an X.509 certificate with cRLSign keyUsage bit set */
 	if (issuer->get_type(issuer) != CERT_X509)
 	{
 		return FALSE;
 	}
-	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
+	if (!(x509->get_flags(x509) & X509_CRL_SIGN))
 	{
 		return FALSE;
 	}