sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

x509: Only allow certificates with cRLSign keyUsage to sign CRLs

Browse Source
This commit is contained in:
Tobias Brunner 2023-02-22 17:20:07 +01:00
parent d12a4f5d23
commit 7d1f221211
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/libstrongswan/plugins/x509/x509_crl.c
View File

@ -462,12 +462,12 @@ METHOD(certificate_t, issued_by, bool,
x509_t *x509 = (x509_t*)issuer;
chunk_t keyid = chunk_empty;
/* check if issuer is an X.509 CA certificate */
/* check if issuer is an X.509 certificate with cRLSign keyUsage bit set */
if (issuer->get_type(issuer) != CERT_X509)
{
return FALSE;
}
if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
if (!(x509->get_flags(x509) & X509_CRL_SIGN))
{
return FALSE;
}