diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2010-02-25 00:01:38 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2010-02-25 00:01:38 +0000 |
commit | b1efb7161f409c81178b9aa95583db3390f90b1b (patch) | |
tree | 65afa3c2ca2047fb7ac4918b3c4f0edf109deaf6 /crypto/x509v3 | |
parent | df4c395c6d344bff7f73f8eddaaf4dbd9889a014 (diff) | |
download | openssl-b1efb7161f409c81178b9aa95583db3390f90b1b.tar.gz |
Include self-signed flag in certificates by checking SKID/AKID as well
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
Diffstat (limited to 'crypto/x509v3')
-rw-r--r-- | crypto/x509v3/v3_purp.c | 11 | ||||
-rw-r--r-- | crypto/x509v3/x509v3.h | 3 |
2 files changed, 10 insertions, 4 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 7c4aa323ae..e7cf701160 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -368,9 +368,6 @@ static void x509v3_cache_extensions(X509 *x) #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif - /* Does subject name match issuer ? */ - if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SI; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ @@ -464,6 +461,14 @@ static void x509v3_cache_extensions(X509 *x) } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + /* Does subject name match issuer ? */ + if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) + { + x->ex_flags |= EXFLAG_SI; + /* If SKID matches AKID also indicate self signed */ + if (X509_check_akid(x, x->akid) == X509_V_OK) + x->ex_flags |= EXFLAG_SS; + } x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); if (!x->nc && (i != -1)) diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 34909475ae..84cf46f538 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -414,7 +414,6 @@ struct ISSUING_DIST_POINT_st #define EXFLAG_CA 0x10 /* Really self issued not necessarily self signed */ #define EXFLAG_SI 0x20 -#define EXFLAG_SS 0x20 #define EXFLAG_V1 0x40 #define EXFLAG_INVALID 0x80 #define EXFLAG_SET 0x100 @@ -423,6 +422,8 @@ struct ISSUING_DIST_POINT_st #define EXFLAG_INVALID_POLICY 0x800 #define EXFLAG_FRESHEST 0x1000 +/* Self signed */ +#define EXFLAG_SS 0x2000 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040 |