From: Dr. Stephen Henson <steve@openssl.org>
Date: Fri, 3 Dec 2004 00:10:34 +0000 (+0000)
Subject: V1 certificates that aren't self signed can't be accepted as CAs.
X-Git-Tag: BEN_FIPS_TEST_6~14^2~9
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=8f284faaec659cdac2cd09d1471d34e3fa5889df

V1 certificates that aren't self signed can't be accepted as CAs.
---

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 8d0ebbeaef..a60d41bc24 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -441,8 +441,6 @@ static int check_ca(const X509 *x)
 		/* Older certificates could have Netscape-specific CA types */
 		else if (x->ex_flags & EXFLAG_NSCERT
 			 && x->ex_nscert & NS_ANY_CA) return 5;
-		/* 2 means "I don't know...", which is legal for V1 and V2 */
-		else if (x->ex_flags & EXFLAG_V1) return 2;
 		/* can this still be regarded a CA certificate?  I doubt it */
 		return 0;
 	}