constraints: Don't reject certificates with invalid certificate policies
authorMartin Willi <martin@revosec.ch>
Fri, 10 Oct 2014 14:33:56 +0000 (16:33 +0200)
committerMartin Willi <martin@revosec.ch>
Thu, 30 Oct 2014 10:32:19 +0000 (11:32 +0100)
commit69232e2d3dd1a1bdae2dfc2f433de9b8a4ddd052
treed8190407b0ce69d1d5e63c7a5b5c9378d9471205
parent885646acd317f4c7e4be13756c7167b8494f8aef
constraints: Don't reject certificates with invalid certificate policies

Instead of rejecting the certificate completely if a certificate has a policy
OID that is actually not allowed by the issuer CA, we accept it. However, the
certificate policy itself is still considered invalid, and is not returned
in the auth config resulting from trust chain operations.

A user must make sure to rely on the returned auth config certificate policies
instead of the policies contained in the certificate; even if the certificate
is valid, the policy OID itself in the certificate are not to be trusted
anymore.
src/libstrongswan/plugins/constraints/constraints_validator.c