diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2010-02-25 00:01:38 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2014-02-14 15:27:30 +0000 |
| commit | c00f8d697aed17edbd002e2f6c989d8fbd7c4ecf (patch) | |
| tree | e9242519d0863e11e99759c3986c4aaa0642dc98 /crypto | |
| parent | b07e4f2f46fc286c306353d5e362cbc22c8547fb (diff) | |
Include self-signed flag in certificates by checking SKID/AKID as well
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
(cherry picked from commit b1efb7161f409c81178b9aa95583db3390f90b1b)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 11 | ||||
| -rw-r--r-- | crypto/x509v3/x509v3.h | 3 |
2 files changed, 10 insertions, 4 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 0774cbf827..6c40c7dfc3 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -368,9 +368,6 @@ static void x509v3_cache_extensions(X509 *x) #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif - /* Does subject name match issuer ? */ - if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SI; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ @@ -464,6 +461,14 @@ static void x509v3_cache_extensions(X509 *x) } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + /* Does subject name match issuer ? */ + if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) + { + x->ex_flags |= EXFLAG_SI; + /* If SKID matches AKID also indicate self signed */ + if (X509_check_akid(x, x->akid) == X509_V_OK) + x->ex_flags |= EXFLAG_SS; + } x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); if (!x->nc && (i != -1)) diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 92feeeb7dd..0bd12937dc 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -414,7 +414,6 @@ struct ISSUING_DIST_POINT_st #define EXFLAG_CA 0x10 /* Really self issued not necessarily self signed */ #define EXFLAG_SI 0x20 -#define EXFLAG_SS 0x20 #define EXFLAG_V1 0x40 #define EXFLAG_INVALID 0x80 #define EXFLAG_SET 0x100 @@ -423,6 +422,8 @@ struct ISSUING_DIST_POINT_st #define EXFLAG_INVALID_POLICY 0x800 #define EXFLAG_FRESHEST 0x1000 +/* Self signed */ +#define EXFLAG_SS 0x2000 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040 |