Instead of just generating an authorityKeyIdentifier based on the
issuer's public key, this allows CA certificates to be issued by a
different tool that doesn't use a SHA-1 hash of the subjectPublicKey
for the subjectKeyIdentifier.
Closes strongswan/strongswan#1992
References strongswan/strongswan#1975
/* add the keyid authKeyIdentifier for non self-signed certificates */
if (sign_cert)
{
- chunk_t keyid;
+ x509_t *sign_x509 = (x509_t*)sign_cert;
+ chunk_t keyid = chunk_empty;
- if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
+ if (sign_cert->get_type(sign_cert) == CERT_X509)
+ {
+ keyid = sign_x509->get_authKeyIdentifier(sign_x509);
+ }
+ if (keyid.len ||
+ sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
{
authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_AUTHORITY_KEY_ID),