revocation: Don't merge auth config of CLR/OCSP trustchain validation
authorMartin Willi <martin@revosec.ch>
Thu, 27 Mar 2014 09:59:29 +0000 (10:59 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 12:40:33 +0000 (14:40 +0200)
commita844b6589034ff53e845fb9013d69dac02385453
treea4c18f3526bed498a0a14807b28c0739c08bc5e2
parentefce234de43cd42c624b1ba62d37168c521a526e
revocation: Don't merge auth config of CLR/OCSP trustchain validation

This behavior was introduced with 6840a6fb to avoid key/signature strength
checking for the revocation trustchain as we do it for end entity certificates.
Unfortunately this breaks CA constraint checking under certain conditions, as
we merge additional intermediate/CA certificates to the auth config.

As key/signature strength checking of the revocation trustchain is a rather
exotic requirement we drop support for that to properly enforce CA constraints.
src/libstrongswan/plugins/revocation/revocation_validator.c