From 7d1f2212119e6cc4bde26993d85370215c6daf73 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 22 Feb 2023 17:20:07 +0100
Subject: [PATCH] x509: Only allow certificates with cRLSign keyUsage to sign
 CRLs

---
 src/libstrongswan/plugins/x509/x509_crl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index d5221ed4ad..9dbb7b5f2d 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -462,12 +462,12 @@ METHOD(certificate_t, issued_by, bool,
 	x509_t *x509 = (x509_t*)issuer;
 	chunk_t keyid = chunk_empty;
 
-	/* check if issuer is an X.509 CA certificate */
+	/* check if issuer is an X.509 certificate with cRLSign keyUsage bit set */
 	if (issuer->get_type(issuer) != CERT_X509)
 	{
 		return FALSE;
 	}
-	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
+	if (!(x509->get_flags(x509) & X509_CRL_SIGN))
 	{
 		return FALSE;
 	}
-- 
2.47.2