Policy validation fixes.

Inhibit any policy count should ignore self issued certificates. Require explicit policy is the number certificate before an explict policy is required.
author: Dr. Stephen Henson <steve@openssl.org> 2008-07-30 15:41:42 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2008-07-30 15:41:42 +0000
commit: 592a207b94dadbd03f352e8f74133efc0a141e3d (patch)
tree: ae4bb9b89ee23f7741af42c7edcb1390e494c1cb /crypto
parent: 6bcbac0abb35992732b77912f1cdc07cf9b7adec (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 846d3eae04..c8bfa3773c 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -134,7 +134,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 			if (!(x->ex_flags & EXFLAG_SI)
 				&& (cache->explicit_skip != -1)
 				&& (cache->explicit_skip < explicit_policy))
-				explicit_policy = cache->explicit_skip;
+				explicit_policy = cache->explicit_skip + 1;
 			}
 		}
 
@@ -202,7 +202,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 			}
 		else
 			{
-			any_skip--;
+			if (!(x->ex_flags & EXFLAG_SI))
+				any_skip--;
 			if ((cache->any_skip >= 0)
 				&& (cache->any_skip < any_skip))
 				any_skip = cache->any_skip;
author	Dr. Stephen Henson <steve@openssl.org>	2008-07-30 15:41:42 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2008-07-30 15:41:42 +0000
commit	592a207b94dadbd03f352e8f74133efc0a141e3d (patch)
tree	ae4bb9b89ee23f7741af42c7edcb1390e494c1cb /crypto
parent	6bcbac0abb35992732b77912f1cdc07cf9b7adec (diff)