CA certificates are allowed to sign OCSP responsed without OCSP_SIGNER flag

2008-03-20 07:21:44 +00:00 · 2008-03-20 07:21:44 +00:00 · ca7663ece6
parent 48acfe98ae
commit ca7663ece6
1 changed files with 2 additions and 1 deletions
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@ -680,7 +680,8 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer,
 				return FALSE;
 		}
 	}
-	if (!(x509->get_flags(x509) & X509_OCSP_SIGNER))
+	if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
+		!(x509->get_flags(x509) & X509_CA))
 	{
 		return FALSE;
 	}