ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

openssl: Consider authorityKeyIdentifier in issued_by() 

Prior to verifying the cryptographic signature, check if the
authorityKeyIdentifier matches the key ID of the issuing certificate if
it is available.
This commit is contained in:
Adrian-Ken Rueegsegger 2021-04-14 15:34:29 +02:00 committed by Tobias Brunner
parent 027c5c9dcb
commit f0c25960ed
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/libstrongswan/plugins/openssl/openssl_x509.c
View File

@ -391,6 +391,7 @@ METHOD(certificate_t, issued_by, bool,
public_key_t *key;
bool valid;
x509_t *x509 = (x509_t*)issuer;
chunk_t keyid = chunk_empty;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
const ASN1_BIT_STRING *sig;
#else
@ -417,10 +418,24 @@ METHOD(certificate_t, issued_by, bool,
return FALSE;
}
}
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
/* compare keyIdentifiers if available, otherwise use DNs */
if (this->authKeyIdentifier.ptr)
{
return FALSE;
keyid = x509->get_subjectKeyIdentifier(x509);
if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
{
return FALSE;
}
}
if (!keyid.len)
{
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
{
return FALSE;
}
}
key = issuer->get_public_key(issuer);
if (!key)
{