aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon/credentials/credential_manager.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/credentials/credential_manager.c')
-rw-r--r--src/charon/credentials/credential_manager.c22
1 files changed, 16 insertions, 6 deletions
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 7c49d39a0..570420d78 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -904,10 +904,20 @@ static bool verify_trust_chain(private_credential_manager_t *this,
issuer = get_issuer_cert(this, current, TRUE);
if (issuer)
{
- auth->add_item(auth, AUTHZ_CA_CERT, issuer);
- DBG1(DBG_CFG, " using trusted ca certificate \"%D\"",
- issuer->get_subject(issuer));
- trusted = TRUE;
+ /* accept only self-signed CAs as trust anchor */
+ if (this->cache->issued_by(this->cache, issuer, issuer))
+ {
+ auth->add_item(auth, AUTHZ_CA_CERT, issuer);
+ DBG1(DBG_CFG, " using trusted ca certificate \"%D\"",
+ issuer->get_subject(issuer));
+ trusted = TRUE;
+ }
+ else
+ {
+ auth->add_item(auth, AUTHZ_IM_CERT, issuer);
+ DBG1(DBG_CFG, " using trusted intermediate ca certificate "
+ "\"%D\"", issuer->get_subject(issuer));
+ }
}
else
{
@@ -922,8 +932,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
break;
}
auth->add_item(auth, AUTHZ_IM_CERT, issuer);
- DBG1(DBG_CFG, " using untrusted ca certificate \"%D\"",
- issuer->get_subject(issuer));
+ DBG1(DBG_CFG, " using untrusted intermediate certificate "
+ "\"%D\"", issuer->get_subject(issuer));
}
else
{
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-19 01:50:08 +0000