openssl: Don't check signature if issuer doesn't match always

Doing this for the self-signed check also (i.e. if this and issuer are
the same) is particularly useful if the issuer uses a different key type.
Otherwise, we'd try to verify the signature with an incompatible key
that would result in a log message.

Fixes #3357.

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 6a8f6ff086bb7fa9ae92f2fe7ee9e66eaba79a1e..4f8395136a7adc2e5e3b4ad82cd0bcdedb611f9b 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -416,10 +416,10 @@ METHOD(certificate_t, issued_by, bool,
                {
                        return FALSE;
                }
-               if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
-               {
-                       return FALSE;
-               }
+       }
+       if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+       {
+               return FALSE;
        }
        key = issuer->get_public_key(issuer);
        if (!key)