From: Andreas Steffen Date: Tue, 14 Nov 2023 07:00:27 +0000 (+0100) Subject: x509: Fix regression introduced by commit a22147a X-Git-Tag: 5.9.12rc1~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6941dcb17aa5fb51b6fe7831794a4c3593480c3c;p=thirdparty%2Fstrongswan.git x509: Fix regression introduced by commit a22147a Instead of the CA certificate's subjectKeyIdentifier erroneously the CA's authorityKeyIdentifier was used as the authorityKeyIdentfier of the certificate to be issued. This might work with a root CA where the authorityKeyIdentifier equals its subjectKeyIdentfier but introduces a severe regression when an intermediate CA is used. --- diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 296a1a3330..592a96d9d9 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -2432,7 +2432,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, if (sign_cert->get_type(sign_cert) == CERT_X509) { - keyid = sign_x509->get_authKeyIdentifier(sign_x509); + keyid = sign_x509->get_subjectKeyIdentifier(sign_x509); } if (keyid.len || sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))