non self-signed x509 certificates are encoded with authorityKeyIdentifier

author Martin Willi <martin@strongswan.org>

Tue, 8 Sep 2009 09:26:05 +0000 (11:26 +0200)

committer Martin Willi <martin@strongswan.org>

Tue, 8 Sep 2009 09:26:05 +0000 (11:26 +0200)
author Martin Willi <martin@strongswan.org>
Tue, 8 Sep 2009 09:26:05 +0000 (11:26 +0200)
committer Martin Willi <martin@strongswan.org>
Tue, 8 Sep 2009 09:26:05 +0000 (11:26 +0200)
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c

index 60c961a27e17a9eb4383543c856cf34683e6cfd9..b8e02ae5fd55091c3d2fec768289a42733b4c6f2 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1210,7 +1210,7 @@ static bool generate(private_builder_t *this)
  {
         chunk_t extensions = chunk_empty;
         chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
-       chunk_t subjectKeyIdentifier = chunk_empty;
+       chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
         identification_t *issuer, *subject;
         chunk_t key_info;
         signature_scheme_t scheme;
@@ -1303,7 +1303,6 @@ static bool generate(private_builder_t *this)
                 return FALSE;
         }
  
-
         if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
         {
                 /* TODO: encode subjectAltNames */
@@ -1330,12 +1329,26 @@ static bool generate(private_builder_t *this)
                                                                                 asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
                 }
         }
-       if (basicConstraints.ptr || subjectAltNames.ptr)
+       if (this->sign_key)
+       {       /* add the keyid authKeyIdentifier for non self-signed certificates */
+               chunk_t keyid;
+
+               if (this->sign_key->get_fingerprint(this->sign_key,
+                                                                                       KEY_ID_PUBKEY_SHA1, &keyid))
+               {
+                       authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                       asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
+                                                       asn1_wrap(ASN1_OCTET_STRING, "m",
+                                                               asn1_wrap(ASN1_SEQUENCE, "m",
+                                                                       asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
+               }
+       }
+       if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr)
         {
                 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-                                               asn1_wrap(ASN1_SEQUENCE, "mmm",
+                                               asn1_wrap(ASN1_SEQUENCE, "mmmm",
                                                         basicConstraints, subjectKeyIdentifier,
-                                                       subjectAltNames));
+                                                       authKeyIdentifier, subjectAltNames));
         }
  
         this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
author	Martin Willi <martin@strongswan.org>
	Tue, 8 Sep 2009 09:26:05 +0000 (11:26 +0200)
committer	Martin Willi <martin@strongswan.org>
	Tue, 8 Sep 2009 09:26:05 +0000 (11:26 +0200)