Include self-signed flag in certificates by checking SKID/AKID as well

as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 7c4aa323aedd9846f9f914b6cb3ad2c28f964d7f..e7cf7011604af0ea94ecbfa96686d4d19f94ac53 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -368,9 +368,6 @@ static void x509v3_cache_extensions(X509 *x)
 #ifndef OPENSSL_NO_SHA
        X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
 #endif
-       /* Does subject name match issuer ? */
-       if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                        x->ex_flags |= EXFLAG_SI;
        /* V1 should mean no extensions ... */
        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
        /* Handle basic constraints */
@@ -464,6 +461,14 @@ static void x509v3_cache_extensions(X509 *x)
        }
        x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
        x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+       /* Does subject name match issuer ? */
+       if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
+                       {
+                       x->ex_flags |= EXFLAG_SI;
+                       /* If SKID matches AKID also indicate self signed */
+                       if (X509_check_akid(x, x->akid) == X509_V_OK)
+                               x->ex_flags |= EXFLAG_SS;
+                       }
        x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
        x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
        if (!x->nc && (i != -1))

diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 34909475ae6e9677a203066e50d08e9b3fc5af23..84cf46f538634d2016a13dcf3609f1cb6c9582c5 100644 (file)
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -414,7 +414,6 @@ struct ISSUING_DIST_POINT_st
 #define EXFLAG_CA              0x10
 /* Really self issued not necessarily self signed */
 #define EXFLAG_SI              0x20
-#define EXFLAG_SS              0x20
 #define EXFLAG_V1              0x40
 #define EXFLAG_INVALID         0x80
 #define EXFLAG_SET             0x100
@@ -423,6 +422,8 @@ struct ISSUING_DIST_POINT_st
 
 #define EXFLAG_INVALID_POLICY  0x800
 #define EXFLAG_FRESHEST                0x1000
+/* Self signed */
+#define EXFLAG_SS              0x2000
 
 #define KU_DIGITAL_SIGNATURE   0x0080
 #define KU_NON_REPUDIATION     0x0040