Add cert_self_signed function to simplify verify

(from master)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 990be83da36910b3f4e4b9ccab01824fa4a82cf3..07cd09f69d30f605a1abbf4e62430984c53baab6 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -151,6 +151,15 @@ static int x509_subject_cmp(X509 **a, X509 **b)
        return X509_subject_name_cmp(*a,*b);
        }
 #endif
+/* Return 1 is a certificate is self signed */
+static int cert_self_signed(X509 *x)
+       {
+       X509_check_purpose(x, -1, 0);
+       if (x->ex_flags & EXFLAG_SS)
+               return 1;
+       else
+               return 0;
+       }
 
 /* Given a certificate try and find an exact match in the store */
 
@@ -232,8 +241,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                                         */
 
                /* If we are self signed, we break */
-               if (ctx->check_issued(ctx, x,x)) break;
-
+               if (cert_self_signed(x))
+                       break;
                /* If asked see if we can find issuer in trusted store first */
                if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
                        {
@@ -284,7 +293,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
        i=sk_X509_num(ctx->chain);
        x=sk_X509_value(ctx->chain,i-1);
-       if (ctx->check_issued(ctx, x, x))
+       if (cert_self_signed(x))
                {
                /* we have a self signed certificate */
                if (sk_X509_num(ctx->chain) == 1)
@@ -332,7 +341,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                if (depth < num) break;
 
                /* If we are self signed, we break */
-               if (ctx->check_issued(ctx,x,x)) break;
+               if (cert_self_signed(x))
+                       break;
 
                ok = ctx->get_issuer(&xtmp, ctx, x);