From: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Date: Wed, 14 Apr 2021 13:20:27 +0000 (+0200)
Subject: x509: Consider authorityKeyIdentifier in issued_by()
X-Git-Tag: 5.9.3dr2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=027c5c9dcb41b3fc37a3c66ea7664bffb3b94f03;p=thirdparty%2Fstrongswan.git

x509: Consider authorityKeyIdentifier in issued_by()

Prior to verifying the cryptographic signature, check if the
authorityKeyIdentifier matches the key ID of the issuing certificate if
it is available.
---

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index cf5bee06b2..9eb17a1948 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1710,6 +1710,7 @@ METHOD(certificate_t, issued_by, bool,
 	public_key_t *key;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
+	chunk_t keyid = chunk_empty;
 
 	if (&this->public.interface.interface == issuer)
 	{
@@ -1733,9 +1734,22 @@ METHOD(certificate_t, issued_by, bool,
 			return FALSE;
 		}
 	}
-	if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+
+	/* compare keyIdentifiers if available, otherwise use DNs */
+	if (this->authKeyIdentifier.ptr)
 	{
-		return FALSE;
+		keyid = x509->get_subjectKeyIdentifier(x509);
+		if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
+		{
+			return FALSE;
+		}
+	}
+	if (!keyid.len)
+	{
+		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+		{
+			return FALSE;
+		}
 	}
 
 	/* get the public key of the issuer */