x509: Fix regression introduced by commit a22147a

Instead of the CA certificate's subjectKeyIdentifier erroneously
the CA's authorityKeyIdentifier was used as the authorityKeyIdentfier
of the certificate to be issued. This might work with a root CA
where the authorityKeyIdentifier equals its subjectKeyIdentfier
but introduces a severe regression when an intermediate CA is used.

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 296a1a33309c5504feb90711e0ba54931bf8861d..592a96d9d9b022c75f858b123ab7cf9fc0c5d9cf 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2432,7 +2432,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 
                if (sign_cert->get_type(sign_cert) == CERT_X509)
                {
-                       keyid = sign_x509->get_authKeyIdentifier(sign_x509);
+                       keyid = sign_x509->get_subjectKeyIdentifier(sign_x509);
                }
                if (keyid.len ||
                        sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))