openssl: Accept CRLs issued by non-CA certificates with cRLSign keyUsage flag
The x509 plugin accepted CRL signers since forever, to be precise, since
dffb176f2b
("CRLSign keyUsage or CA basicConstraint are sufficient
for CRL validation")).
References #3529.
This commit is contained in:
parent
428c0b293d
commit
7f170e4c9c
|
@ -303,7 +303,7 @@ METHOD(certificate_t, issued_by, bool,
|
|||
return FALSE;
|
||||
}
|
||||
x509 = (x509_t*)issuer;
|
||||
if (!(x509->get_flags(x509) & X509_CA))
|
||||
if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue