openssl: Consider authorityKeyIdentifier in issued_by()

Prior to verifying the cryptographic signature, check if the
authorityKeyIdentifier matches the key ID of the issuing certificate if
it is available.

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 4f8395136a7adc2e5e3b4ad82cd0bcdedb611f9b..6080c20ff4cecd96bed4d39365d9bc061566c662 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -391,6 +391,7 @@ METHOD(certificate_t, issued_by, bool,
        public_key_t *key;
        bool valid;
        x509_t *x509 = (x509_t*)issuer;
+       chunk_t keyid = chunk_empty;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
        const ASN1_BIT_STRING *sig;
 #else
@@ -417,10 +418,24 @@ METHOD(certificate_t, issued_by, bool,
                        return FALSE;
                }
        }
-       if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+
+       /* compare keyIdentifiers if available, otherwise use DNs */
+       if (this->authKeyIdentifier.ptr)
        {
-               return FALSE;
+               keyid = x509->get_subjectKeyIdentifier(x509);
+               if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
+               {
+                       return FALSE;
+               }
        }
+       if (!keyid.len)
+       {
+               if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+               {
+                       return FALSE;
+               }
+       }
+
        key = issuer->get_public_key(issuer);
        if (!key)
        {