Compare subject against all key identifiers in has_subject()

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 4cc9356254624a002bc8c716ef7ebe4a5b796acb..aa39bc93d2c3616188ddc3c2e917ce84fff36533 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -295,10 +295,23 @@ METHOD(certificate_t, has_subject, id_match_t,
        identification_t *current;
        enumerator_t *enumerator;
        id_match_t match, best;
+       chunk_t encoding;
 
        if (subject->get_type(subject) == ID_KEY_ID)
        {
-               if (chunk_equals(this->hash, subject->get_encoding(subject)))
+               encoding = subject->get_encoding(subject);
+
+               if (chunk_equals(this->hash, encoding))
+               {
+                       return ID_MATCH_PERFECT;
+               }
+               if (this->subjectKeyIdentifier.len &&
+                       chunk_equals(this->subjectKeyIdentifier, encoding))
+               {
+                       return ID_MATCH_PERFECT;
+               }
+               if (this->pubkey &&
+                       this->pubkey->has_fingerprint(this->pubkey, encoding))
                {
                        return ID_MATCH_PERFECT;
                }

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 1ddb64f8c69a85d1b2b5e78f09f15d4906b8f03a..559090aa01c28c5688228cbfc01a515bfea1a9ed 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1098,11 +1098,6 @@ static identification_t* get_issuer(private_x509_cert_t *this)
        return this->issuer;
 }
 
-/**
- * Forward declaration
- */
-static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this);
-
 /**
  * Implementation of certificate_t.has_subject.
  */
@@ -1111,20 +1106,28 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
        identification_t *current;
        enumerator_t *enumerator;
        id_match_t match, best;
+       chunk_t encoding;
 
        if (subject->get_type(subject) == ID_KEY_ID)
        {
-               chunk_t keyid = subject->get_encoding(subject);
+               encoding = subject->get_encoding(subject);
 
-               if (this->encoding_hash.ptr && chunk_equals(this->encoding_hash, keyid))
+               if (this->encoding_hash.len &&
+                       chunk_equals(this->encoding_hash, encoding))
                {
                        return ID_MATCH_PERFECT;
                }
-               if (chunk_equals(get_subjectKeyIdentifier(this), keyid))
+               if (this->subjectKeyIdentifier.len &&
+                       chunk_equals(this->subjectKeyIdentifier, encoding))
                {
                        return ID_MATCH_PERFECT;
                }
-       }               
+               if (this->public_key &&
+                       this->public_key->has_fingerprint(this->public_key, encoding))
+               {
+                       return ID_MATCH_PERFECT;
+               }
+       }
        best = this->subject->matches(this->subject, subject);
        enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
        while (enumerator->enumerate(enumerator, &current))