Policy validation fixes.

Inhibit any policy count should ignore self issued certificates.
Require explicit policy is the number certificate before an explict policy
is required.

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 846d3eae047002a6671b224aa4fb69d53459660c..c8bfa3773c9a7e9ff6fff683fa95c9129ea3577c 100644 (file)
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -134,7 +134,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        if (!(x->ex_flags & EXFLAG_SI)
                                && (cache->explicit_skip != -1)
                                && (cache->explicit_skip < explicit_policy))
-                               explicit_policy = cache->explicit_skip;
+                               explicit_policy = cache->explicit_skip + 1;
                        }
                }
 
@@ -202,7 +202,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        }
                else
                        {
-                       any_skip--;
+                       if (!(x->ex_flags & EXFLAG_SI))
+                               any_skip--;
                        if ((cache->any_skip >= 0)
                                && (cache->any_skip < any_skip))
                                any_skip = cache->any_skip;