global-functions: $CertificateAvailable: check chain by akid and skidrouteros-6.47

We can merge this when RouterOS 6.47 moves to long-term...

1 files changed, 11 insertions, 8 deletions

diff --git a/global-functions b/global-functions
index 29ff999..851e632 100644
--- a/global-functions
+++ b/global-functions
@@ -60,6 +60,7 @@
   :global CertificateDownload;
   :global LogPrintExit;
   :global ParseKeyValueStore;
+  :global RequiredRouterOS;
 
   :if ([ / system resource get free-hdd-space ] < 8388608 && \
        [ / certificate settings get crl-download ] = true && \
@@ -75,19 +76,21 @@
     }
   }
 
-  :local CertVal;
-  :local Issuer $CommonName;
+  :if ([ $RequiredRouterOS ("\$CertificateAvailable") "6.47" ] = false) do={
+    :return true;
+  }
+
+  :local CertVal [ / certificate get [ find where common-name=$CommonName ] ];
   :do {
-    :if ([ :len [ / certificate find where common-name=$Issuer ] ] = 0) do={
+    :if ([ :len [ / certificate find where skid=($CertVal->"akid") ] ] = 0) do={
       $LogPrintExit info ("Certificate chain for \"" . $CommonName . \
-        "\" is incomplete, missing \"" . $Issuer . "\".") false;
+        "\" is incomplete, missing \"" . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\".") false;
       :if ([ $CertificateDownload $CommonName ] = false) do={
         :return false;
       }
     }
-    :set CertVal [ / certificate get [ find where common-name=$Issuer ] ];
-    :set Issuer ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN");
-  } while=($Issuer != $CertVal->"common-name");
+    :set CertVal [ / certificate get [ find where skid=($CertVal->"akid") ] ];
+  } while=(($CertVal->"akid") != "" && ($CertVal->"akid") != ($CertVal->"skid"));
   :return true;
 }
 
@@ -1104,7 +1107,7 @@
 }
 
 # check for required RouterOS version
-$RequiredRouterOS "global-functions" "6.43";
+$RequiredRouterOS "global-functions" "6.47";
 
 # signal we are ready
 :set GlobalFunctionsReady true;