From 592a207b94dadbd03f352e8f74133efc0a141e3d Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 30 Jul 2008 15:41:42 +0000 Subject: [PATCH] Policy validation fixes. Inhibit any policy count should ignore self issued certificates. Require explicit policy is the number certificate before an explict policy is required. --- crypto/x509v3/pcy_tree.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 846d3eae04..c8bfa3773c 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -134,7 +134,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, if (!(x->ex_flags & EXFLAG_SI) && (cache->explicit_skip != -1) && (cache->explicit_skip < explicit_policy)) - explicit_policy = cache->explicit_skip; + explicit_policy = cache->explicit_skip + 1; } } @@ -202,7 +202,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, } else { - any_skip--; + if (!(x->ex_flags & EXFLAG_SI)) + any_skip--; if ((cache->any_skip >= 0) && (cache->any_skip < any_skip)) any_skip = cache->any_skip; -- 2.25.1