discard cert if CA basic constraints flag is not set and warn if cert is not valide
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 9 Jun 2006 05:48:49 +0000 (05:48 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 9 Jun 2006 05:48:49 +0000 (05:48 -0000)
src/charon/config/credentials/local_credential_store.c

index 09eac6a..1034cec 100644 (file)
@@ -263,11 +263,22 @@ static void load_ca_certificates(private_local_credential_store_t *this, const c
                        cert = x509_create_from_file(file, "ca certificate");
                        if (cert)
                        {
-                               this->ca_certs->insert_last(this->ca_certs, (void*)cert);
-                       }
-                       else
-                       {
-                               this->logger->log(this->logger, ERROR, "certificate \"%s\" invalid, skipped", file);
+                               err_t ugh = cert->is_valid(cert, NULL);
+
+                               if (ugh != NULL)        
+                               {
+                                       this->logger->log(this->logger, ERROR, "warning: ca certificate %s", ugh);
+                               }
+                               if (cert->is_ca(cert))
+                               {
+                                       this->ca_certs->insert_last(this->ca_certs, (void*)cert);
+                               }
+                               else
+                               {
+                                       this->logger->log(this->logger, ERROR,
+                                                       "  CA basic constraints flag not set, cert discarded");
+                                       cert->destroy(cert);
+                               }
                        }
                }
        }