revocation: Log error if no OCSP signer candidate found
authorMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 12:53:15 +0000 (14:53 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 13:02:17 +0000 (15:02 +0200)
Fixes evaluation of ikev2/ocsp-untrusted-cert.

src/libstrongswan/plugins/revocation/revocation_validator.c

index eb9065f..9fd5b2a 100644 (file)
@@ -118,7 +118,6 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
                {       /* OCSP signer currently invalid */
                        continue;
                }
-               found = TRUE;
                if (!ca->equals(ca, issuer))
                {       /* delegated OCSP signer? */
                        if (!lib->credmgr->issued_by(lib->credmgr, issuer, ca, NULL))
@@ -130,6 +129,7 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
                                continue;
                        }
                }
+               found = TRUE;
                if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
                {
                        DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",