On Wed, Apr 30, 2014 at 03:44:51PM +0200, Stephan M?hlstrasser wrote:
> Shouldn't it only return X509_V_OK if at least one of the three tests "Check
> key ids (if present)", "Check serial number" and "Check issuer name"
> actually was performed?
Don't know about the CRL code path, but the same function is used
in x509v3_cache_extensions() to determine whether a certificate is
self-signed, where a missing akid means plausibly yes, provided
the subject and issuer DNs are equal.
This is also used in X509_check_issued() to verify the issuer-subject
relations in a chain, but there the call is skipped when the subject
akid is not set.
The function is part of the public API (its name starts with an
upper case X509 not x509 as with internal interfaces), so changing
its semantics would introduce an incompatibility with applications
that rely on the old behaviour.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
