projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Only CA certificates can be self-issued
[openssl.git] / crypto / x509 / x509_vfy.c
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3a60d412daf86e94232111ff8e8f773d0f70ef37..2ecdb48f14a00b58cbf1f6f1e14cbd97eb763a97 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -524,8 +524,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
             if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
                 return 0;
         }
-        /* Increment path length if not self issued */
-        if (!(x->ex_flags & EXFLAG_SI))
+        /* Increment path length if not a self issued intermediate CA */
+        if (i == 0 || (x->ex_flags & EXFLAG_SI) == 0)
             plen++;
         /*
          * If this certificate is a proxy certificate, the next certificate
Unnamed repository; edit this file 'description' to name the repository.