It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers. Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
X509_CINF cert_info;
X509_ALGOR sig_alg;
ASN1_BIT_STRING signature;
- int valid;
int references;
char *name;
CRYPTO_EX_DATA ex_data;
* explicitly asked for. It doesn't add any security and just wastes
* time.
*/
- if (!xs->valid
- && (xs != xi
- || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+ if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ctx->current_cert = xi;
}
}
- xs->valid = 1;
-
check_cert:
ok = x509_check_cert_time(ctx, xs, 0);
if (!ok)
switch (operation) {
case ASN1_OP_NEW_POST:
- ret->valid = 0;
ret->name = NULL;
ret->ex_flags = 0;
ret->ex_pathlen = -1;