6 files changed, 47 insertions, 30 deletions

diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 2a1ef638b..c0a64fc5d 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -886,7 +886,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
+	private_x509_ac_t *this, certificate_t *issuer,
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -938,7 +939,9 @@ METHOD(certificate_t, issued_by, bool,
 	key->destroy(key);
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 6d2fb9de7..9bb272a4f 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1677,18 +1677,26 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_x509_cert_t *this, certificate_t *issuer,
-	signature_scheme_t *schemep)
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
 
+	/* determine signature scheme */
+	scheme = signature_scheme_from_oid(this->algorithm);
+	if (scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+
 	if (&this->public.interface.interface == issuer)
 	{
 		if (this->flags & X509_SELF_SIGNED)
 		{
-			return TRUE;
+			valid = TRUE;
+			goto out;
 		}
 	}
 	else
@@ -1707,12 +1715,6 @@ METHOD(certificate_t, issued_by, bool,
 		return FALSE;
 	}
 
-	/* determine signature scheme */
-	scheme = signature_scheme_from_oid(this->algorithm);
-	if (scheme == SIGN_UNKNOWN)
-	{
-		return FALSE;
-	}
 	/* get the public key of the issuer */
 	key = issuer->get_public_key(issuer);
 	if (!key)
@@ -1722,9 +1724,13 @@ METHOD(certificate_t, issued_by, bool,
 	valid = key->verify(key, scheme, NULL, this->tbsCertificate,
 						this->signature);
 	key->destroy(key);
+
+out:
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 8ea70252f..2712ad83e 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -457,7 +457,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
+	private_x509_crl_t *this, certificate_t *issuer,
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -506,7 +507,9 @@ METHOD(certificate_t, issued_by, bool,
 	key->destroy(key);
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index de2ad9878..de22ab6be 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -372,7 +372,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_x509_ocsp_request_t *this, certificate_t *issuer,
-	signature_scheme_t *scheme)
+	signature_params_t **scheme)
 {
 	DBG1(DBG_LIB, "OCSP request validation not implemented!");
 	return FALSE;
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index fd0d84e48..e803c185c 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -703,7 +703,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_x509_ocsp_response_t *this, certificate_t *issuer,
-	signature_scheme_t *schemep)
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -758,7 +758,9 @@ METHOD(certificate_t, issued_by, bool,
 	key->destroy(key);
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index beeb436ab..019ccf7c1 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -124,7 +124,7 @@ METHOD(certificate_t, has_subject, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_x509_pkcs10_t *this, certificate_t *issuer,
-	signature_scheme_t *schemep)
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -134,29 +134,32 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	if (this->self_signed)
-	{
-		return TRUE;
-	}
-
 	/* determine signature scheme */
 	scheme = signature_scheme_from_oid(this->algorithm);
 	if (scheme == SIGN_UNKNOWN)
 	{
 		return FALSE;
 	}
-
-	/* get the public key contained in the certificate request */
-	key = this->public_key;
-	if (!key)
+	if (this->self_signed)
 	{
-		return FALSE;
+		valid = TRUE;
+	}
+	else
+	{
+		/* get the public key contained in the certificate request */
+		key = this->public_key;
+		if (!key)
+		{
+			return FALSE;
+		}
+		valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
+							this->signature);
 	}
-	valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
-						this->signature);
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }