Load raw keys before possibly destroying the identity

If no identity (or %any) is configured the identification_t object is
destroyed and an invalid object was associated with the created pubkey
certificate.
Actually using %any does not work as the certificate would not match
when the client later provides an identity.

1 files changed, 11 insertions, 12 deletions

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 5970e7cf3..86f0fe431 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -485,6 +485,17 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			identity = identity->clone(identity);
 		}
 	}
+	/* add raw RSA public key */
+	pubkey = end->rsakey;
+	if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
+	{
+		certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
+											  identity);
+		if (certificate)
+		{
+			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+		}
+	}
 	if (identity->get_type(identity) != ID_ANY)
 	{
 		cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
@@ -498,18 +509,6 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		identity->destroy(identity);
 	}
 
-	/* add raw RSA public key */
-	pubkey = end->rsakey;
-	if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
-	{
-		certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
-											  identity);
-		if (certificate)
-		{
-			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
-		}
-	}
-
 	/* CA constraint */
 	if (ca)
 	{