use trusted self-signed root CA certificates as trust anchor only

1 files changed, 16 insertions, 6 deletions

diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 7c49d39a0..570420d78 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -904,10 +904,20 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 		issuer = get_issuer_cert(this, current, TRUE);
 		if (issuer)
 		{
-			auth->add_item(auth, AUTHZ_CA_CERT, issuer);	
-			DBG1(DBG_CFG, "  using trusted ca certificate \"%D\"",
-				 issuer->get_subject(issuer));
-			trusted = TRUE;
+			/* accept only self-signed CAs as trust anchor */
+			if (this->cache->issued_by(this->cache, issuer, issuer))
+			{
+				auth->add_item(auth, AUTHZ_CA_CERT, issuer);
+				DBG1(DBG_CFG, "  using trusted ca certificate \"%D\"",
+					 issuer->get_subject(issuer));
+				trusted = TRUE;
+			}
+			else
+			{
+				auth->add_item(auth, AUTHZ_IM_CERT, issuer);
+				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
+					 "\"%D\"", issuer->get_subject(issuer));
+			}
 		}
 		else
 		{
@@ -922,8 +932,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 					break;
 				}
 				auth->add_item(auth, AUTHZ_IM_CERT, issuer);
-				DBG1(DBG_CFG, "  using untrusted ca certificate \"%D\"",
-					 issuer->get_subject(issuer));
+				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
+					 "\"%D\"", issuer->get_subject(issuer));
 			}
 			else
 			{