2 files changed, 45 insertions, 27 deletions

diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index c30e8fedf..dc73299b8 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -380,10 +380,18 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
 	cert = lib->creds->create(lib->creds,
 							  CRED_CERTIFICATE, CERT_X509,
 							  BUILD_FROM_FILE, path,
-							  BUILD_X509_FLAG, X509_CA,
 							  BUILD_END);
 	if (cert)
 	{
+		x509_t *x509 = (x509_t*)cert;
+		
+		if (!(x509->get_flags(x509) & X509_CA))
+		{
+			cert->destroy(cert);
+			DBG1(DBG_CFG, "  ca certificate must have ca basic constraint set, "
+				 "discarded");
+			return NULL;
+		}
 		return (certificate_t*)add_cert(this, cert);
 	}
 	return NULL;
@@ -522,11 +530,32 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 		switch (type)
 		{
 			case CERT_X509:
-				cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509,
-										  BUILD_FROM_FILE, file,
-										  BUILD_X509_FLAG, flag,
-										  BUILD_END);
+				if (flag & X509_CA)
+				{	/* for CA certificates, we strictly require CA
+					 * basicconstraints to be set */
+					cert = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_X509,
+										BUILD_FROM_FILE, file, BUILD_END);
+					if (cert)
+					{
+						x509_t *x509 = (x509_t*)cert;
+						
+						if (!(x509->get_flags(x509) & X509_CA))
+						{
+							DBG1(DBG_CFG, "  ca certificate must have ca "
+								 "basic constraint set, discarded");
+							cert->destroy(cert);
+							cert = NULL;
+						}
+					}
+				}
+				else
+				{	/* for all other flags, we add them to the certificate. */
+					cert = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_X509,
+										BUILD_FROM_FILE, file,
+										BUILD_X509_FLAG, flag, BUILD_END);
+				}
 				if (cert)
 				{
 					add_cert(this, cert);
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 860006f0b..746254486 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1350,33 +1350,22 @@ static bool generate(private_builder_t *this)
 static private_x509_cert_t *build(private_builder_t *this)
 {
 	private_x509_cert_t *cert;
-	x509_flag_t flags;
 	
-	if (this->cert && !this->cert->encoding.ptr)
+	if (this->cert)
 	{
-		if (!this->sign_key || !this->cert ||
-			!generate(this))
-		{
-			destroy(this->cert);
-			free(this);
-			return NULL;
+		this->cert->flags |= this->flags;
+		if (!this->cert->encoding.ptr)
+		{	/* generate a new certificate */
+			if (!this->sign_key || !generate(this))
+			{
+				destroy(this->cert);
+				free(this);
+				return NULL;
+			}
 		}
 	}
 	cert = this->cert;
-	flags =  this->flags;
 	free(this);
-	if (cert == NULL)
-	{
-		return NULL;
-	}
-	
-	if ((flags & X509_CA) && !(cert->flags & X509_CA))
-	{
-		DBG1("  ca certificate must have ca basic constraint set, discarded");
-		destroy(cert);
-		return NULL;
-	}
-	cert->flags |= flags;
 	return cert;
 }