From 9e59f1abe22ce276fcffccb4ebb3a894e35ac3a6 Mon Sep 17 00:00:00 2001 From: Julius Pfrommer Date: Mon, 25 Nov 2024 16:54:03 +0100 Subject: [PATCH] refactor(plugins): Remove comparison of authorityKeyIdentifier / subjectKeyIdentifier not supported by CTT The CTT example Security User X509/001.js expects that an issuer is selected where the authorityKeyIdentifier / subjectKeyIdentifier do not match. No longer use X509_check_issued, but rather manually check if the issuer name and subject name match -- with no other checks beyond that. --- plugins/crypto/openssl/ua_pki_openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/crypto/openssl/ua_pki_openssl.c b/plugins/crypto/openssl/ua_pki_openssl.c index 5cfaa455b33..67b049e7505 100644 --- a/plugins/crypto/openssl/ua_pki_openssl.c +++ b/plugins/crypto/openssl/ua_pki_openssl.c @@ -462,6 +462,7 @@ static X509 * openSSLFindNextIssuer(CertContext *ctx, STACK_OF(X509) *stack, X509 *x509, X509 *prev) { /* First check issuers from the stack - provided in the same bytestring as * the certificate. This can also return x509 itself. */ + X509_NAME *in = X509_get_issuer_name(x509); do { int size = sk_X509_num(stack); for(int i = 0; i < size; i++) { @@ -474,7 +475,7 @@ openSSLFindNextIssuer(CertContext *ctx, STACK_OF(X509) *stack, X509 *x509, X509 /* This checks subject/issuer name and the key usage of the issuer. * It does not verify the validity period and if the issuer key was * used for the signature. We check that afterwards. */ - if(X509_check_issued(candidate, x509) == 0) + if(X509_NAME_cmp(in, X509_get_subject_name(candidate)) == 0) return candidate; } /* Switch from the stack that came with the cert to the issuer list and