x509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuer

Some CAs don't use SHA-1 hashes of the public key as subjectKeyIdentifier and
authorityKeyIdentifier.  If that's the case we can't force the
calculation of the hash to compare that to authorityKeyIdentifier in the CRL,
instead we use the subjectKeyIdentifier stored in the issuer certificate, if
available.  Otherwise, we fall back to the SHA-1 hash (or comparing the
DNs) as before.

diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 1f3f60daab76e788bb2cf4ea9aa15be05928ef7e..4d7e7bd107a4910daa2944307fc141ad6e78daba 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -451,6 +451,7 @@ METHOD(certificate_t, issued_by, bool,
        signature_scheme_t scheme;
        bool valid;
        x509_t *x509 = (x509_t*)issuer;
+       chunk_t keyid = chunk_empty;
 
        /* check if issuer is an X.509 CA certificate */
        if (issuer->get_type(issuer) != CERT_X509)
@@ -462,37 +463,33 @@ METHOD(certificate_t, issued_by, bool,
                return FALSE;
        }
 
-       scheme = signature_scheme_from_oid(this->algorithm);
-       if (scheme == SIGN_UNKNOWN)
-       {
-               return FALSE;
-       }
-       key = issuer->get_public_key(issuer);
-       if (!key)
-       {
-               return FALSE;
-       }
-
        /* compare keyIdentifiers if available, otherwise use DNs */
        if (this->authKeyIdentifier.ptr)
        {
-               chunk_t fingerprint;
-
-               if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
-                       !chunk_equals(fingerprint, this->authKeyIdentifier))
+               keyid = x509->get_subjectKeyIdentifier(x509);
+               if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
                {
-                       key->destroy(key);
                        return FALSE;
                }
        }
-       else
+       if (!keyid.len)
        {
                if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
                {
-                       key->destroy(key);
                        return FALSE;
                }
        }
+
+       scheme = signature_scheme_from_oid(this->algorithm);
+       if (scheme == SIGN_UNKNOWN)
+       {
+               return FALSE;
+       }
+       key = issuer->get_public_key(issuer);
+       if (!key)
+       {
+               return FALSE;
+       }
        valid = key->verify(key, scheme, this->tbsCertList, this->signature);
        key->destroy(key);
        if (valid && schemep)