Policy validation fixes.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 30 Jul 2008 15:41:42 +0000 (15:41 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 30 Jul 2008 15:41:42 +0000 (15:41 +0000)
Inhibit any policy count should ignore self issued certificates.
Require explicit policy is the number certificate before an explict policy
is required.

crypto/x509v3/pcy_tree.c

index 846d3ea..c8bfa37 100644 (file)
@@ -134,7 +134,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        if (!(x->ex_flags & EXFLAG_SI)
                                && (cache->explicit_skip != -1)
                                && (cache->explicit_skip < explicit_policy))
-                               explicit_policy = cache->explicit_skip;
+                               explicit_policy = cache->explicit_skip + 1;
                        }
                }
 
@@ -202,7 +202,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        }
                else
                        {
-                       any_skip--;
+                       if (!(x->ex_flags & EXFLAG_SI))
+                               any_skip--;
                        if ((cache->any_skip >= 0)
                                && (cache->any_skip < any_skip))
                                any_skip = cache->any_skip;