From 6114691fd6ff22e5b3635209cec284292fc95468 Mon Sep 17 00:00:00 2001
From: Marco Oliverio <marco@wolfssl.com>
Date: Thu, 5 Sep 2024 09:49:01 +0000
Subject: [PATCH] ocsp: try lookup certificate using keyHash as KeyId

try to lookup the certificate using the key hash as key identifier
first. If we can't find a certificate, it means that the certificate
uses another method to compute the key identifier so we need to fallback
to linear search.
---
 src/ssl.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 2940215e8..37e5ce065 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -5113,6 +5113,13 @@ Signer* GetCAByKeyHash(void* vp, const byte* keyHash)
     if (cm == NULL || keyHash == NULL)
         return NULL;
 
+    /* try lookup using keyHash as subjKeyID first */
+    ret = GetCA(vp, (byte*)keyHash);
+    if (ret != NULL && XMEMCMP(ret->subjectKeyHash, keyHash, KEYID_SIZE) == 0) {
+        return ret;
+    }
+
+    /* if we can't find the cert, we have to scan the full table */
     if (wc_LockMutex(&cm->caLock) != 0)
         return NULL;
 
@@ -5120,8 +5127,7 @@ Signer* GetCAByKeyHash(void* vp, const byte* keyHash)
     for (row = 0; row < CA_TABLE_SIZE && ret == NULL; row++) {
         for (signers = cm->caTable[row]; signers != NULL;
                 signers = signers->next) {
-            if (XMEMCMP(signers->subjectKeyHash, keyHash, KEYID_SIZE)
-                    == 0) {
+            if (XMEMCMP(signers->subjectKeyHash, keyHash, KEYID_SIZE) == 0) {
                 ret = signers;
                 break;
             }