diff options
author | Martin Willi <martin@strongswan.org> | 2008-03-27 13:38:02 +0000 |
---|---|---|
committer | Martin Willi <martin@strongswan.org> | 2008-03-27 13:38:02 +0000 |
commit | 0d30ba334317982413256e4b6293912bb00ca85c (patch) | |
tree | 7213ec92364271ddb425de257d9feb7ec3083dae /src/charon/credentials | |
parent | e74bc8e51dfc64ebf4044992ee9244214455d617 (diff) | |
download | strongswan-0d30ba334317982413256e4b6293912bb00ca85c.tar.bz2 strongswan-0d30ba334317982413256e4b6293912bb00ca85c.tar.xz |
use trusted self-signed root CA certificates as trust anchor only
Diffstat (limited to 'src/charon/credentials')
-rw-r--r-- | src/charon/credentials/credential_manager.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 7c49d39a0..570420d78 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -904,10 +904,20 @@ static bool verify_trust_chain(private_credential_manager_t *this, issuer = get_issuer_cert(this, current, TRUE); if (issuer) { - auth->add_item(auth, AUTHZ_CA_CERT, issuer); - DBG1(DBG_CFG, " using trusted ca certificate \"%D\"", - issuer->get_subject(issuer)); - trusted = TRUE; + /* accept only self-signed CAs as trust anchor */ + if (this->cache->issued_by(this->cache, issuer, issuer)) + { + auth->add_item(auth, AUTHZ_CA_CERT, issuer); + DBG1(DBG_CFG, " using trusted ca certificate \"%D\"", + issuer->get_subject(issuer)); + trusted = TRUE; + } + else + { + auth->add_item(auth, AUTHZ_IM_CERT, issuer); + DBG1(DBG_CFG, " using trusted intermediate ca certificate " + "\"%D\"", issuer->get_subject(issuer)); + } } else { @@ -922,8 +932,8 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } auth->add_item(auth, AUTHZ_IM_CERT, issuer); - DBG1(DBG_CFG, " using untrusted ca certificate \"%D\"", - issuer->get_subject(issuer)); + DBG1(DBG_CFG, " using untrusted intermediate certificate " + "\"%D\"", issuer->get_subject(issuer)); } else { |