sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

openssl: Consider authorityKeyIdentifier in issued_by()

Browse Source 
Prior to verifying the cryptographic signature, check if the
authorityKeyIdentifier matches the key ID of the issuing certificate if
it is available.
This commit is contained in:
Adrian-Ken Rueegsegger 2021-04-14 15:34:29 +02:00 committed by Tobias Brunner
parent 027c5c9dcb
commit f0c25960ed
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/libstrongswan/plugins/openssl/openssl_x509.c
View File

@ -391,6 +391,7 @@ METHOD(certificate_t, issued_by, bool,
public_key_t *key; public_key_t *key;
bool valid; bool valid;
x509_t *x509 = (x509_t*)issuer; x509_t *x509 = (x509_t*)issuer;
chunk_t keyid = chunk_empty;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L
const ASN1_BIT_STRING *sig; const ASN1_BIT_STRING *sig;
#else #else
@ -417,10 +418,24 @@ METHOD(certificate_t, issued_by, bool,
return FALSE; return FALSE;
} }
} }
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
/* compare keyIdentifiers if available, otherwise use DNs */
if (this->authKeyIdentifier.ptr)
{ {
return FALSE; keyid = x509->get_subjectKeyIdentifier(x509);
if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
{
return FALSE;
}
} }
if (!keyid.len)
{
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
{
return FALSE;
}
}
key = issuer->get_public_key(issuer); key = issuer->get_public_key(issuer);
if (!key) if (!key)
{ {