From: Martin Willi <martin@strongswan.org>
Date: Thu, 20 Mar 2008 07:21:44 +0000 (-0000)
Subject: CA certificates are allowed to sign OCSP responsed without OCSP_SIGNER flag
X-Git-Tag: 4.2.0~115
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca7663ece640dbabcd6713238855647fe86612b5;p=thirdparty%2Fstrongswan.git

CA certificates are allowed to sign OCSP responsed without OCSP_SIGNER flag
---

diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 565ab82abf..cf1de6b4eb 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -680,7 +680,8 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer,
 				return FALSE;
 		}
 	}
-	if (!(x509->get_flags(x509) & X509_OCSP_SIGNER))
+	if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
+		!(x509->get_flags(x509) & X509_CA))
 	{
 		return FALSE;
 	}