From: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Date: Wed, 14 Apr 2021 11:45:30 +0000 (+0200)
Subject: openssl: Bring CRL issued_by() in line with x509 plugin
X-Git-Tag: 5.9.3dr2~9
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=97c9158378072c932427f34ed04eadd4e41e3fd4;p=thirdparty%2Fstrongswan.git

openssl: Bring CRL issued_by() in line with x509 plugin
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index ca2830ce85..b546bd6368 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -288,9 +288,10 @@ METHOD(certificate_t, issued_by, bool,
 	private_openssl_crl_t *this, certificate_t *issuer,
 	signature_params_t **scheme)
 {
-	chunk_t fingerprint, tbs;
+	chunk_t tbs;
 	public_key_t *key;
 	x509_t *x509;
+	chunk_t keyid = chunk_empty;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	const ASN1_BIT_STRING *sig;
 #else
@@ -307,26 +308,29 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	key = issuer->get_public_key(issuer);
-	if (!key)
-	{
-		return FALSE;
-	}
-	if (this->authKeyIdentifier.ptr && key)
+
+	/* compare keyIdentifiers if available, otherwise use DNs */
+	if (this->authKeyIdentifier.ptr)
 	{
-		if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
-			!chunk_equals(fingerprint, this->authKeyIdentifier))
+		keyid = x509->get_subjectKeyIdentifier(x509);
+		if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
 		{
 			return FALSE;
 		}
 	}
-	else
+	if (!keyid.len)
 	{
 		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
 		{
 			return FALSE;
 		}
 	}
+
+	key = issuer->get_public_key(issuer);
+	if (!key)
+	{
+		return FALSE;
+	}
 	/* i2d_re_X509_CRL_tbs() was added with 1.1.0 when X509_CRL became opaque */
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	tbs = openssl_i2chunk(re_X509_CRL_tbs, this->crl);