Handle certificates being on hold in a CRL

Certificates which are set on hold in a CRL might be removed from any
subsequent CRL. Hence you cannot conclude that a certificate is revoked
for good in this case, you would try to retrieve an update CRL to see if
the certificate on hold is still on it or not.

1 files changed, 11 insertions, 1 deletions

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index def169275..34f347d1a 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -404,7 +404,15 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 		{
 			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
 				 &revocation, TRUE, crl_reason_names, reason);
-			*valid = VALIDATION_REVOKED;
+			if (reason != CRL_REASON_CERTIFICATE_HOLD)
+			{
+				*valid = VALIDATION_REVOKED;
+			}
+			else
+			{
+				/* if the cert is on hold, a newer CRL might not contain it */
+				*valid = VALIDATION_ON_HOLD;
+			}
 			enumerator->destroy(enumerator);
 			DESTROY_IF(best);
 			return cand;
@@ -681,6 +689,7 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "certificate status is good");
 				return TRUE;
 			case VALIDATION_REVOKED:
+			case VALIDATION_ON_HOLD:
 				/* has already been logged */
 				return FALSE;
 			case VALIDATION_SKIPPED:
@@ -700,6 +709,7 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "certificate status is good");
 				return TRUE;
 			case VALIDATION_REVOKED:
+			case VALIDATION_ON_HOLD:
 				/* has already been logged */
 				return FALSE;
 			case VALIDATION_FAILED: