x509: Consider authorityKeyIdentifier in issued_by()

Prior to verifying the cryptographic signature, check if the
authorityKeyIdentifier matches the key ID of the issuing certificate if
it is available.

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index cf5bee06b2a332b312278399a8e4c15eb4701fee..9eb17a19483ee41291394ee27836dc39760676d8 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1710,6 +1710,7 @@ METHOD(certificate_t, issued_by, bool,
        public_key_t *key;
        bool valid;
        x509_t *x509 = (x509_t*)issuer;
+       chunk_t keyid = chunk_empty;
 
        if (&this->public.interface.interface == issuer)
        {
@@ -1733,9 +1734,22 @@ METHOD(certificate_t, issued_by, bool,
                        return FALSE;
                }
        }
-       if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+
+       /* compare keyIdentifiers if available, otherwise use DNs */
+       if (this->authKeyIdentifier.ptr)
        {
-               return FALSE;
+               keyid = x509->get_subjectKeyIdentifier(x509);
+               if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
+               {
+                       return FALSE;
+               }
+       }
+       if (!keyid.len)
+       {
+               if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+               {
+                       return FALSE;
+               }
        }
 
        /* get the public key of the issuer */