From 97c9158378072c932427f34ed04eadd4e41e3fd4 Mon Sep 17 00:00:00 2001
From: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Date: Wed, 14 Apr 2021 13:45:30 +0200
Subject: [PATCH] openssl: Bring CRL issued_by() in line with x509 plugin

---
 .../plugins/openssl/openssl_crl.c             | 24 +++++++++++--------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index ca2830ce85..b546bd6368 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -288,9 +288,10 @@ METHOD(certificate_t, issued_by, bool,
 	private_openssl_crl_t *this, certificate_t *issuer,
 	signature_params_t **scheme)
 {
-	chunk_t fingerprint, tbs;
+	chunk_t tbs;
 	public_key_t *key;
 	x509_t *x509;
+	chunk_t keyid = chunk_empty;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	const ASN1_BIT_STRING *sig;
 #else
@@ -307,26 +308,29 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	key = issuer->get_public_key(issuer);
-	if (!key)
-	{
-		return FALSE;
-	}
-	if (this->authKeyIdentifier.ptr && key)
+
+	/* compare keyIdentifiers if available, otherwise use DNs */
+	if (this->authKeyIdentifier.ptr)
 	{
-		if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
-			!chunk_equals(fingerprint, this->authKeyIdentifier))
+		keyid = x509->get_subjectKeyIdentifier(x509);
+		if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
 		{
 			return FALSE;
 		}
 	}
-	else
+	if (!keyid.len)
 	{
 		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
 		{
 			return FALSE;
 		}
 	}
+
+	key = issuer->get_public_key(issuer);
+	if (!key)
+	{
+		return FALSE;
+	}
 	/* i2d_re_X509_CRL_tbs() was added with 1.1.0 when X509_CRL became opaque */
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	tbs = openssl_i2chunk(re_X509_CRL_tbs, this->crl);
-- 
2.47.2