• David Howells's avatar
    X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier · 942223eb
    David Howells authored
    If an X.509 certificate has an AuthorityKeyIdentifier extension that provides
    an issuer and serialNumber, then make it so that these are used in preference
    to the keyIdentifier field also held therein for searching for the signing
    certificate.
    
    If both the issuer+serialNumber and the keyIdentifier are supplied, then the
    certificate is looked up by the former but the latter is checked as well.  If
    the latter doesn't match the subjectKeyIdentifier of the parent certificate,
    EKEYREJECTED is returned.
    
    This makes it possible to chain X.509 certificates based on the issuer and
    serialNumber fields rather than on subjectKeyIdentifier.  This is necessary as
    we are having to deal with keys that are represented by X.509 certificates
    that lack a subjectKeyIdentifier.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: default avatarVivek Goyal <vgoyal@redhat.com>
    942223eb
pkcs7_trust.c 5.03 KB