Commit 0d17838b99 for strongswan.org

commit 0d17838b9911458d45826827607b78d999b39dee
Author: Thomas Jarosch <thomas.jarosch@intra2net.com>
Date:   Tue May 5 15:41:01 2026 +0200

    credential-manager: Check expiry also for last cert in incomplete trust chain

    While the validity of a pre-trusted certificate for which an issuer is
    found is enforced via `check_certificate()`, the validity of such a
    certificate in an incomplete trust chain, or rather that of the last
    certificate in such a chain, was not enforced.  This fixes that
    inconsistency.

diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 4f18121214..e1510da216 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -806,6 +806,13 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				call_hook(this, CRED_HOOK_NO_ISSUER, current);
 				if (trusted)
 				{
+					if (!check_lifetime(this, current,
+										current != subject ? "issuer" : "subject",
+										pathlen, FALSE, auth))
+					{
+						trusted = FALSE;
+						break;
+					}
 					DBG1(DBG_CFG, "  reached end of incomplete trust chain for "
 						 "trusted certificate \"%Y\"",
 						 subject->get_subject(subject));