Include self-signed flag in certificates.
Include self-signed flag in certificates by checking SKID/AKID as well as
issuer and subject names. Although this is an incompatible change it should
have little impact in pratice because self-issued certificates that are not
self-signed are rarely encountered.
(Imported from upstream's c00f8d697aed17edbd002e2f6c989d8fbd7c4ecf)
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index b32b60c..c17c0e8 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -364,9 +364,6 @@
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
- /* Does subject name match issuer ? */
- if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
- x->ex_flags |= EXFLAG_SI;
/* V1 should mean no extensions ... */
if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
/* Handle basic constraints */
@@ -460,6 +457,14 @@
}
x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+ /* Does subject name match issuer ? */
+ if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
+ {
+ x->ex_flags |= EXFLAG_SI;
+ /* If SKID matches AKID also indicate self signed */
+ if (X509_check_akid(x, x->akid) == X509_V_OK)
+ x->ex_flags |= EXFLAG_SS;
+ }
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
x->nc = X509_get_ext_d2i(x, NID_name_constraints, &j, NULL);
if (!x->nc && (j != -1))
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index ecddb0f..4215793 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -411,7 +411,6 @@
#define EXFLAG_CA 0x10
/* Really self issued not necessarily self signed */
#define EXFLAG_SI 0x20
-#define EXFLAG_SS 0x20
#define EXFLAG_V1 0x40
#define EXFLAG_INVALID 0x80
#define EXFLAG_SET 0x100
@@ -420,6 +419,8 @@
#define EXFLAG_INVALID_POLICY 0x800
#define EXFLAG_FRESHEST 0x1000
+/* Self signed */
+#define EXFLAG_SS 0x2000
#define KU_DIGITAL_SIGNATURE 0x0080
#define KU_NON_REPUDIATION 0x0040
