x509: Fix public key reference leak if authority key identifier does not match

diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index d171ec2c4e9a065f88bd9bc0f416fde8bfc52d81..1f3f60daab76e788bb2cf4ea9aa15be05928ef7e 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -462,17 +462,26 @@ METHOD(certificate_t, issued_by, bool,
                return FALSE;
        }
 
-       /* get the public key of the issuer */
+       scheme = signature_scheme_from_oid(this->algorithm);
+       if (scheme == SIGN_UNKNOWN)
+       {
+               return FALSE;
+       }
        key = issuer->get_public_key(issuer);
+       if (!key)
+       {
+               return FALSE;
+       }
 
        /* compare keyIdentifiers if available, otherwise use DNs */
-       if (this->authKeyIdentifier.ptr && key)
+       if (this->authKeyIdentifier.ptr)
        {
                chunk_t fingerprint;
 
                if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
                        !chunk_equals(fingerprint, this->authKeyIdentifier))
                {
+                       key->destroy(key);
                        return FALSE;
                }
        }
@@ -480,17 +489,10 @@ METHOD(certificate_t, issued_by, bool,
        {
                if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
                {
+                       key->destroy(key);
                        return FALSE;
                }
        }
-
-       /* determine signature scheme */
-       scheme = signature_scheme_from_oid(this->algorithm);
-
-       if (scheme == SIGN_UNKNOWN || key == NULL)
-       {
-               return FALSE;
-       }
        valid = key->verify(key, scheme, this->tbsCertList, this->signature);
        key->destroy(key);
        if (valid && schemep)