Policy validation fixes.

Inhibit any policy count should ignore self issued certificates. Require explicit policy is the number certificate before an explict policy is required.

Policy validation fixes.
Inhibit any policy count should ignore self issued certificates. Require explicit policy is the number certificate before an explict policy is required.
592a207b · Dr. Stephen Henson · 6bcbac0a · 592a207b
隐藏空白更改
内联并排

Showing with 3 addition and 2 deletion

crypto/x509v3/pcy_tree.c crypto/x509v3/pcy_tree.c +3 -2

未找到文件。
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -134,7 +134,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 			if (!(x->ex_flags & EXFLAG_SI)
 				&& (cache->explicit_skip != -1)
 				&& (cache->explicit_skip < explicit_policy))
-				explicit_policy = cache->explicit_skip;
+				explicit_policy = cache->explicit_skip + 1;
 			}
 		}
@@ -202,7 +202,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 			}
 		else
 			{
-			any_skip--;
+			if (!(x->ex_flags & EXFLAG_SI))
+				any_skip--;
 			if ((cache->any_skip >= 0)
 				&& (cache->any_skip < any_skip))
 				any_skip = cache->any_skip;