Checking a nonexistant extension for canonical form is not very useful.

svn path=/openssl/trunk/crypto/x509v3/v3_asid.c; revision=164
author: Rob Austein <sra@hactrn.net> 2006-08-17 01:09:42 +0000
committer: Rob Austein <sra@hactrn.net> 2006-08-17 01:09:42 +0000
commit: f3f9008343f34a90b81569033e0dcb2984f62f0c (patch)
tree: 7f9f6a7e4190fe00dcfefd251a1cbdd2698d31b1 /openssl
parent: 8056b48f962d5afc70d7b66488b01a30271957f8 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c
index ba0c0edf..1c10a491 100644
--- a/openssl/trunk/crypto/x509v3/v3_asid.c
+++ b/openssl/trunk/crypto/x509v3/v3_asid.c
@@ -637,14 +637,14 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
   for (i = 1; i < sk_X509_num(ctx->chain); i++) {
     x = sk_X509_value(ctx->chain, i);
     assert(x != NULL);
-    if (!asid_is_canonical(x->rfc3779_asid->asnum) ||
-	!asid_is_canonical(x->rfc3779_asid->rdi))
-      validation_err(X509_V_ERR_INVALID_EXTENSION);
     if (x->rfc3779_asid == NULL) {
       if (child_as != NULL || child_rdi != NULL)
 	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       continue;
     }
+    if (!asid_is_canonical(x->rfc3779_asid->asnum) ||
+	!asid_is_canonical(x->rfc3779_asid->rdi))
+      validation_err(X509_V_ERR_INVALID_EXTENSION);
     if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
       validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       child_as = NULL;
author	Rob Austein <sra@hactrn.net>	2006-08-17 01:09:42 +0000
committer	Rob Austein <sra@hactrn.net>	2006-08-17 01:09:42 +0000
commit	f3f9008343f34a90b81569033e0dcb2984f62f0c (patch)
tree	7f9f6a7e4190fe00dcfefd251a1cbdd2698d31b1 /openssl
parent	8056b48f962d5afc70d7b66488b01a30271957f8 (diff)