diff options
| author | Martin Willi <martin@strongswan.org> | 2009-09-08 11:02:49 +0200 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2009-09-08 11:02:49 +0200 |
| commit | 5c9252444983911ee05f3bed3189ac46b5e2b18e (patch) | |
| tree | 56b2c93b9f9c407c2a70c44c5a6f91f57d6fdd54 /src/libstrongswan/plugins/x509/x509_cert.c | |
| parent | 8871e59c1132baa43c977f8314278cd3afb405c6 (diff) | |
| download | strongswan-5c9252444983911ee05f3bed3189ac46b5e2b18e.tar.bz2 strongswan-5c9252444983911ee05f3bed3189ac46b5e2b18e.tar.xz | |
x509 CA certificates are encoded with a subjectKeyIdentifier
Diffstat (limited to 'src/libstrongswan/plugins/x509/x509_cert.c')
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index dc789e771..60c961a27 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1210,6 +1210,7 @@ static bool generate(private_builder_t *this) { chunk_t extensions = chunk_empty; chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty; + chunk_t subjectKeyIdentifier = chunk_empty; identification_t *issuer, *subject; chunk_t key_info; signature_scheme_t scheme; @@ -1309,7 +1310,7 @@ static bool generate(private_builder_t *this) } if (this->flags & X509_CA) { - chunk_t yes; + chunk_t yes, keyid; yes = chunk_alloca(1); yes.ptr[0] = 0xFF; @@ -1319,12 +1320,22 @@ static bool generate(private_builder_t *this) asn1_wrap(ASN1_OCTET_STRING, "m", asn1_wrap(ASN1_SEQUENCE, "m", asn1_wrap(ASN1_BOOLEAN, "c", yes)))); + /* add subjectKeyIdentifier to CA certificates */ + if (this->cert->public_key->get_fingerprint(this->cert->public_key, + KEY_ID_PUBKEY_SHA1, &keyid)) + { + subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_SUBJECT_KEY_ID), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_OCTET_STRING, "c", keyid))); + } } if (basicConstraints.ptr || subjectAltNames.ptr) { extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", - asn1_wrap(ASN1_SEQUENCE, "mm", - basicConstraints, subjectAltNames)); + asn1_wrap(ASN1_SEQUENCE, "mmm", + basicConstraints, subjectKeyIdentifier, + subjectAltNames)); } this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", |