Fix AKID CA lookup

The `authorityCertIssuer` field refers to the Issuer field of the CA being looked up and not its Subject field.
2026-01-26 18:52:25 +01:00 · 2025-12-03 10:29:59 +01:00
parent 7b82224462
commit 995e63f6e1
3 changed files with 3 additions and 3 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -5760,7 +5760,7 @@ Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz,
    for (row = 0; row < CA_TABLE_SIZE && ret == NULL; row++) {
        for (signers = cm->caTable[row]; signers != NULL;
                signers = signers->next) {
-            if (XMEMCMP(signers->subjectNameHash, nameHash, SIGNER_DIGEST_SIZE)
+            if (XMEMCMP(signers->issuerNameHash, nameHash, SIGNER_DIGEST_SIZE)
                    == 0 && XMEMCMP(signers->serialHash, serialHash,
                                    SIGNER_DIGEST_SIZE) == 0) {
                ret = signers;
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -26077,7 +26077,7 @@ int FillSigner(Signer* signer, DecodedCert* cert, int type, DerBuffer *der)
    #endif
        XMEMCPY(signer->subjectNameHash, cert->subjectHash,
                SIGNER_DIGEST_SIZE);
-    #if defined(HAVE_OCSP) || defined(HAVE_CRL)
+    #if defined(HAVE_OCSP) || defined(HAVE_CRL) || defined(WOLFSSL_AKID_NAME)
        XMEMCPY(signer->issuerNameHash, cert->issuerHash,
                SIGNER_DIGEST_SIZE);
    #endif
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -1957,7 +1957,7 @@ struct Signer {
 #endif /* !IGNORE_NAME_CONSTRAINTS */
    byte    subjectNameHash[SIGNER_DIGEST_SIZE];
                                     /* sha hash of names in certificate */
-    #if defined(HAVE_OCSP) || defined(HAVE_CRL)
+    #if defined(HAVE_OCSP) || defined(HAVE_CRL) || defined(WOLFSSL_AKID_NAME)
        byte    issuerNameHash[SIGNER_DIGEST_SIZE];
                                     /* sha hash of issuer names in certificate.
                                      * Used in OCSP to check for authorized