Include self-signed flag in certificates. Include self-signed flag in certificates by checking SKID/AKID as well as issuer and subject names. Although this is an incompatible change it should have little impact in pratice because self-issued certificates that are not self-signed are rarely encountered. (Imported from upstream's c00f8d697aed17edbd002e2f6c989d8fbd7c4ecf)
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index b32b60c..c17c0e8 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c
@@ -364,9 +364,6 @@ #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif - /* Does subject name match issuer ? */ - if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SI; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ @@ -460,6 +457,14 @@ } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + /* Does subject name match issuer ? */ + if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) + { + x->ex_flags |= EXFLAG_SI; + /* If SKID matches AKID also indicate self signed */ + if (X509_check_akid(x, x->akid) == X509_V_OK) + x->ex_flags |= EXFLAG_SS; + } x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); x->nc = X509_get_ext_d2i(x, NID_name_constraints, &j, NULL); if (!x->nc && (j != -1))
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index ecddb0f..4215793 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h
@@ -411,7 +411,6 @@ #define EXFLAG_CA 0x10 /* Really self issued not necessarily self signed */ #define EXFLAG_SI 0x20 -#define EXFLAG_SS 0x20 #define EXFLAG_V1 0x40 #define EXFLAG_INVALID 0x80 #define EXFLAG_SET 0x100 @@ -420,6 +419,8 @@ #define EXFLAG_INVALID_POLICY 0x800 #define EXFLAG_FRESHEST 0x1000 +/* Self signed */ +#define EXFLAG_SS 0x2000 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040