openssl: Don't check signature if issuer doesn't match always
authorTobias Brunner <tobias@strongswan.org>
Wed, 4 Mar 2020 18:26:55 +0000 (19:26 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Mar 2020 10:12:07 +0000 (11:12 +0100)
commit61769fd1e31b49f451dda33a36c7d5cf639698b5
treec0fe56ddf7130b3e98a8ee9e987ffa91eafed08c
parent576107709156ae2e73a8b4afe739c11f51f8e509
openssl: Don't check signature if issuer doesn't match always

Doing this for the self-signed check also (i.e. if this and issuer are
the same) is particularly useful if the issuer uses a different key type.
Otherwise, we'd try to verify the signature with an incompatible key
that would result in a log message.

Fixes #3357.
src/libstrongswan/plugins/openssl/openssl_x509.c