CRLSign keyUsage or CA basicConstraint are sufficient for CRL validation
authorMartin Willi <martin@revosec.ch>
Fri, 3 Dec 2010 12:51:51 +0000 (13:51 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:45:56 +0000 (16:45 +0100)
src/libstrongswan/plugins/x509/x509_crl.c
src/pki/commands/signcrl.c

index 4bd0470..9a00102 100644 (file)
@@ -388,7 +388,7 @@ METHOD(certificate_t, issued_by, bool,
        {
                return FALSE;
        }
-       if (!(x509->get_flags(x509) & X509_CA))
+       if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
        {
                return FALSE;
        }
index 24bf912..87d5853 100644 (file)
@@ -262,9 +262,9 @@ static int sign_crl()
                goto error;
        }
        x509 = (x509_t*)ca;
-       if (!(x509->get_flags(x509) & X509_CA))
+       if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
        {
-               error = "CA certificate misses CA basicConstraint";
+               error = "CA certificate misses CA basicConstraint / CRLSign keyUsage";
                goto error;
        }
        public = ca->get_public_key(ca);