提交 b1efb716 编写于 作者: D Dr. Stephen Henson

Include self-signed flag in certificates by checking SKID/AKID as well

as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
上级 df4c395c
...@@ -368,9 +368,6 @@ static void x509v3_cache_extensions(X509 *x) ...@@ -368,9 +368,6 @@ static void x509v3_cache_extensions(X509 *x)
#ifndef OPENSSL_NO_SHA #ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif #endif
/* Does subject name match issuer ? */
if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
x->ex_flags |= EXFLAG_SI;
/* V1 should mean no extensions ... */ /* V1 should mean no extensions ... */
if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
/* Handle basic constraints */ /* Handle basic constraints */
...@@ -464,6 +461,14 @@ static void x509v3_cache_extensions(X509 *x) ...@@ -464,6 +461,14 @@ static void x509v3_cache_extensions(X509 *x)
} }
x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
/* Does subject name match issuer ? */
if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
{
x->ex_flags |= EXFLAG_SI;
/* If SKID matches AKID also indicate self signed */
if (X509_check_akid(x, x->akid) == X509_V_OK)
x->ex_flags |= EXFLAG_SS;
}
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
if (!x->nc && (i != -1)) if (!x->nc && (i != -1))
......
...@@ -414,7 +414,6 @@ struct ISSUING_DIST_POINT_st ...@@ -414,7 +414,6 @@ struct ISSUING_DIST_POINT_st
#define EXFLAG_CA 0x10 #define EXFLAG_CA 0x10
/* Really self issued not necessarily self signed */ /* Really self issued not necessarily self signed */
#define EXFLAG_SI 0x20 #define EXFLAG_SI 0x20
#define EXFLAG_SS 0x20
#define EXFLAG_V1 0x40 #define EXFLAG_V1 0x40
#define EXFLAG_INVALID 0x80 #define EXFLAG_INVALID 0x80
#define EXFLAG_SET 0x100 #define EXFLAG_SET 0x100
...@@ -423,6 +422,8 @@ struct ISSUING_DIST_POINT_st ...@@ -423,6 +422,8 @@ struct ISSUING_DIST_POINT_st
#define EXFLAG_INVALID_POLICY 0x800 #define EXFLAG_INVALID_POLICY 0x800
#define EXFLAG_FRESHEST 0x1000 #define EXFLAG_FRESHEST 0x1000
/* Self signed */
#define EXFLAG_SS 0x2000
#define KU_DIGITAL_SIGNATURE 0x0080 #define KU_DIGITAL_SIGNATURE 0x0080
#define KU_NON_REPUDIATION 0x0040 #define KU_NON_REPUDIATION 0x0040
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册