x509: Use issuer certificate's subjectKeyIdentifier if available

Instead of just generating an authorityKeyIdentifier based on the
issuer's public key, this allows CA certificates to be issued by a
different tool that doesn't use a SHA-1 hash of the subjectPublicKey
for the subjectKeyIdentifier.

Closes strongswan/strongswan#1992
References strongswan/strongswan#1975

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index ca200408e56c598226fd043d716e613a60cd6a0b..bdada3381cded56c16b36508edbe9748fa67c6c7 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2424,9 +2424,15 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        /* add the keyid authKeyIdentifier for non self-signed certificates */
        if (sign_cert)
        {
-               chunk_t keyid;
+               x509_t *sign_x509 = (x509_t*)sign_cert;
+               chunk_t keyid = chunk_empty;
 
-               if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
+               if (sign_cert->get_type(sign_cert) == CERT_X509)
+               {
+                       keyid = sign_x509->get_authKeyIdentifier(sign_x509);
+               }
+               if (keyid.len ||
+                       sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
                {
                        authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
                                                        asn1_build_known_oid(OID_AUTHORITY_KEY_ID),