From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 6 Nov 2023 17:39:11 +0000 (+0100)
Subject: x509: Use issuer certificate's subjectKeyIdentifier if available
X-Git-Tag: 5.9.12rc1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a22147a1b2780e6ed9bcd75c80e31011560dfa43;p=thirdparty%2Fstrongswan.git

x509: Use issuer certificate's subjectKeyIdentifier if available

Instead of just generating an authorityKeyIdentifier based on the
issuer's public key, this allows CA certificates to be issued by a
different tool that doesn't use a SHA-1 hash of the subjectPublicKey
for the subjectKeyIdentifier.

Closes strongswan/strongswan#1992
References strongswan/strongswan#1975
---

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index ca200408e5..bdada3381c 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2424,9 +2424,15 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	/* add the keyid authKeyIdentifier for non self-signed certificates */
 	if (sign_cert)
 	{
-		chunk_t keyid;
+		x509_t *sign_x509 = (x509_t*)sign_cert;
+		chunk_t keyid = chunk_empty;
 
-		if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
+		if (sign_cert->get_type(sign_cert) == CERT_X509)
+		{
+			keyid = sign_x509->get_authKeyIdentifier(sign_x509);
+		}
+		if (keyid.len ||
+			sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
 		{
 			authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
 							asn1_build_known_oid(OID_AUTHORITY_KEY_ID),