1 files changed, 12 insertions, 13 deletions

diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index d6057c30f..4d7e7bd10 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -347,7 +347,7 @@ static bool parse(private_x509_crl_t *this)
 				break;
 			}
 			case CRL_OBJ_SIGNATURE:
-				this->signature = object;
+				this->signature = chunk_skip(object, 1);
 				break;
 			default:
 				break;
@@ -451,6 +451,7 @@ METHOD(certificate_t, issued_by, bool,
 	signature_scheme_t scheme;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
+	chunk_t keyid = chunk_empty;
 
 	/* check if issuer is an X.509 CA certificate */
 	if (issuer->get_type(issuer) != CERT_X509)
@@ -462,21 +463,16 @@ METHOD(certificate_t, issued_by, bool,
 		return FALSE;
 	}
 
-	/* get the public key of the issuer */
-	key = issuer->get_public_key(issuer);
-
 	/* compare keyIdentifiers if available, otherwise use DNs */
-	if (this->authKeyIdentifier.ptr && key)
+	if (this->authKeyIdentifier.ptr)
 	{
-		chunk_t fingerprint;
-
-		if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
-			!chunk_equals(fingerprint, this->authKeyIdentifier))
+		keyid = x509->get_subjectKeyIdentifier(x509);
+		if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
 		{
 			return FALSE;
 		}
 	}
-	else
+	if (!keyid.len)
 	{
 		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
 		{
@@ -484,10 +480,13 @@ METHOD(certificate_t, issued_by, bool,
 		}
 	}
 
-	/* determine signature scheme */
 	scheme = signature_scheme_from_oid(this->algorithm);
-
-	if (scheme == SIGN_UNKNOWN || key == NULL)
+	if (scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+	key = issuer->get_public_key(issuer);
+	if (!key)
 	{
 		return FALSE;
 	}