pkcs11: Look for the CKA_ID of the cert if it doesn't match the subjectKeyId
authorRaphael Geissert <raphael-externe.geissert@edf.fr>
Wed, 31 Aug 2016 11:22:38 +0000 (13:22 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 4 Oct 2016 10:09:04 +0000 (12:09 +0200)
commit9a7049635ecc35ddce73e3ad0ede16b0ea2f271e
tree68ae01ff27feaad17455d77e5c0825ea8f2abfa6
parent97c74b565b2870ee889431289c6907a2f5b57b91
pkcs11: Look for the CKA_ID of the cert if it doesn't match the subjectKeyId

charon-nm fails to find the private key when its CKA_ID doesn't match the
subjectKeyIdentifier of the X.509 certificate.  In such cases, the private
key builder now falls back to enumerating all the certificates, looking for
one that matches the supplied subjectKeyIdentifier.  It then uses the CKA_ID
of that certificate to find the corresponding private key.

It effectively means that PKCS#11 tokens where the only identifier to relate
the certificate, the public key, and the private key is the CKA_ID are now
supported by charon-nm.

Fixes #490.
src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c