CRLSign keyUsage or CA basicConstraint are sufficient for CRL validation

author: Martin Willi <martin@revosec.ch> 2010-12-03 13:51:51 +0100
committer: Martin Willi <martin@revosec.ch> 2011-01-05 16:45:56 +0100
commit: dffb176f2bc09ec1323f60a04f342391a3ab6dad (patch)
tree: f7453d076281c59f4bc940ebc953a24314019878 /src/pki
parent: ece5ac2271fcf57da630ce65e27121aec36063b4 (diff)
download: strongswan-dffb176f2bc09ec1323f60a04f342391a3ab6dad.tar.bz2
strongswan-dffb176f2bc09ec1323f60a04f342391a3ab6dad.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 24bf9123f..87d585363 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -262,9 +262,9 @@ static int sign_crl()
 		goto error;
 	}
 	x509 = (x509_t*)ca;
-	if (!(x509->get_flags(x509) & X509_CA))
+	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
 	{
-		error = "CA certificate misses CA basicConstraint";
+		error = "CA certificate misses CA basicConstraint / CRLSign keyUsage";
 		goto error;
 	}
 	public = ca->get_public_key(ca);
author	Martin Willi <martin@revosec.ch>	2010-12-03 13:51:51 +0100
committer	Martin Willi <martin@revosec.ch>	2011-01-05 16:45:56 +0100
commit	dffb176f2bc09ec1323f60a04f342391a3ab6dad (patch)
tree	f7453d076281c59f4bc940ebc953a24314019878 /src/pki
parent	ece5ac2271fcf57da630ce65e27121aec36063b4 (diff)
download	strongswan-dffb176f2bc09ec1323f60a04f342391a3ab6dad.tar.bz2 strongswan-dffb176f2bc09ec1323f60a04f342391a3ab6dad.tar.xz