credential-manager: Check certificate expiry also for trusted self-signed certs

author Thomas Jarosch <thomas.jarosch@intra2net.com>

Tue, 5 May 2026 12:38:30 +0000 (14:38 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Fri, 22 May 2026 12:33:28 +0000 (14:33 +0200)
author Thomas Jarosch <thomas.jarosch@intra2net.com>
Tue, 5 May 2026 12:38:30 +0000 (14:38 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Fri, 22 May 2026 12:33:28 +0000 (14:33 +0200)
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c

index e1510da216015d7533e67a7387440fde7a91189a..0e4adf7ac2db0c70e7ba579d067f9520910dc063 100644 (file)
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -919,6 +919,7 @@ METHOD(enumerator_t, trusted_enumerate, bool,
  {
         certificate_t *current, **cert;
         auth_cfg_t **auth;
+       bool is_valid_self_signed = FALSE;
  
         VA_ARGS_VGET(args, cert, auth);
  
@@ -942,19 +943,25 @@ METHOD(enumerator_t, trusted_enumerate, bool,
                         }
                         DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
                                  this->pretrusted->get_subject(this->pretrusted));
-                       /* if we find a trusted self signed certificate, we just accept it.
-                        * However, in order to fulfill authorization rules, we try to build
-                        * the trust chain if it is not self signed */
-                       if (issued_by(this->this, this->pretrusted, this->pretrusted, NULL) ||
+                       /* if we find a trusted self-signed certificate, check expiry... */
+                       if (issued_by(this->this, this->pretrusted, this->pretrusted, NULL))
+                       {
+                               if (!check_lifetime(this->this, this->pretrusted, "subject", 0,
+                                                                       TRUE, this->auth))
+                               {
+                                       return FALSE;
+                               }
+                               this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
+                                                               this->pretrusted->get_ref(this->pretrusted));
+                               is_valid_self_signed = TRUE;
+                       }
+                       /* ...for non-self-signed certificates, verify the full trust chain
+                        * to fulfill authorization rules */
+                       if (is_valid_self_signed ||
                                 verify_trust_chain(this->this, this->pretrusted, this->auth,
                                                                    TRUE, this->online))
                         {
                                 *cert = this->pretrusted;
-                               if (!this->auth->get(this->auth, AUTH_RULE_SUBJECT_CERT))
-                               {       /* add cert to auth info, if not returned by trustchain */
-                                       this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
-                                                                       this->pretrusted->get_ref(this->pretrusted));
-                               }
                                 if (auth)
                                 {
                                         *auth = this->auth;
author	Thomas Jarosch <thomas.jarosch@intra2net.com>
	Tue, 5 May 2026 12:38:30 +0000 (14:38 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 22 May 2026 12:33:28 +0000 (14:33 +0200)