openssl: Consider authorityKeyIdentifier in issued_by()
Prior to verifying the cryptographic signature, check if the authorityKeyIdentifier matches the key ID of the issuing certificate if it is available.
This commit is contained in:
parent
027c5c9dcb
commit
f0c25960ed
|
@ -391,6 +391,7 @@ METHOD(certificate_t, issued_by, bool,
|
|||
public_key_t *key;
|
||||
bool valid;
|
||||
x509_t *x509 = (x509_t*)issuer;
|
||||
chunk_t keyid = chunk_empty;
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
const ASN1_BIT_STRING *sig;
|
||||
#else
|
||||
|
@ -417,10 +418,24 @@ METHOD(certificate_t, issued_by, bool,
|
|||
return FALSE;
|
||||
}
|
||||
}
|
||||
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
|
||||
|
||||
/* compare keyIdentifiers if available, otherwise use DNs */
|
||||
if (this->authKeyIdentifier.ptr)
|
||||
{
|
||||
return FALSE;
|
||||
keyid = x509->get_subjectKeyIdentifier(x509);
|
||||
if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
if (!keyid.len)
|
||||
{
|
||||
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
key = issuer->get_public_key(issuer);
|
||||
if (!key)
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue