From 995e63f6e11f6d022e6edf37efd05634e5ca8ffb Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 3 Dec 2025 10:29:59 +0100 Subject: [PATCH] Fix AKID CA lookup The `authorityCertIssuer` field refers to the Issuer field of the CA being looked up and not its Subject field. --- src/ssl.c | 2 +- wolfcrypt/src/asn.c | 2 +- wolfssl/wolfcrypt/asn.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 2cda8ea4d..fa8f3dc74 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5760,7 +5760,7 @@ Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz, for (row = 0; row < CA_TABLE_SIZE && ret == NULL; row++) { for (signers = cm->caTable[row]; signers != NULL; signers = signers->next) { - if (XMEMCMP(signers->subjectNameHash, nameHash, SIGNER_DIGEST_SIZE) + if (XMEMCMP(signers->issuerNameHash, nameHash, SIGNER_DIGEST_SIZE) == 0 && XMEMCMP(signers->serialHash, serialHash, SIGNER_DIGEST_SIZE) == 0) { ret = signers; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e54c9cc99..8d5f765b5 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -26077,7 +26077,7 @@ int FillSigner(Signer* signer, DecodedCert* cert, int type, DerBuffer *der) #endif XMEMCPY(signer->subjectNameHash, cert->subjectHash, SIGNER_DIGEST_SIZE); - #if defined(HAVE_OCSP) || defined(HAVE_CRL) + #if defined(HAVE_OCSP) || defined(HAVE_CRL) || defined(WOLFSSL_AKID_NAME) XMEMCPY(signer->issuerNameHash, cert->issuerHash, SIGNER_DIGEST_SIZE); #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index e41f8f08e..e9dd8834f 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1957,7 +1957,7 @@ struct Signer { #endif /* !IGNORE_NAME_CONSTRAINTS */ byte subjectNameHash[SIGNER_DIGEST_SIZE]; /* sha hash of names in certificate */ - #if defined(HAVE_OCSP) || defined(HAVE_CRL) + #if defined(HAVE_OCSP) || defined(HAVE_CRL) || defined(WOLFSSL_AKID_NAME) byte issuerNameHash[SIGNER_DIGEST_SIZE]; /* sha hash of issuer names in certificate. * Used in OCSP to check for authorized