From 6c6d72e4d64b26a6e8f02d61db691857b9a853c1 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Wed, 18 Dec 2019 10:17:51 -0800
Subject: [PATCH] Find CRL Signer By AuthKeyId When looking up the signer of
 the CRL by SKID/AKID, also verify that the CRL issuer name matches the CA's
 subject name, per RFC 5280 section 4.1.2.6.

---
 wolfcrypt/src/asn.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index ffe9e2cb9..b9bc622ca 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -16180,10 +16180,16 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
        if experiencing issues uncomment NO_SKID define in CRL section of
        wolfssl/wolfcrypt/settings.h */
 #ifndef NO_SKID
-    if (dcrl->extAuthKeyIdSet)
+    if (dcrl->extAuthKeyIdSet) {
         ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */
-    if (ca == NULL)
+    }
+    if (ca != NULL && XMEMCMP(dcrl->issuerHash, ca->subjectNameHash,
+                KEYID_SIZE) != 0) {
+        ca = NULL;
+    }
+    if (ca == NULL) {
         ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */
+    }
 #else
     ca = GetCA(cm, dcrl->issuerHash);
 #endif /* !NO_SKID */