From f3f9008343f34a90b81569033e0dcb2984f62f0c Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Thu, 17 Aug 2006 01:09:42 +0000
Subject: Checking a nonexistant extension for canonical form is not very
 useful.

svn path=/openssl/trunk/crypto/x509v3/v3_asid.c; revision=164
---
 openssl/trunk/crypto/x509v3/v3_asid.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'openssl')

diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c
index ba0c0edf..1c10a491 100644
--- a/openssl/trunk/crypto/x509v3/v3_asid.c
+++ b/openssl/trunk/crypto/x509v3/v3_asid.c
@@ -637,14 +637,14 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
   for (i = 1; i < sk_X509_num(ctx->chain); i++) {
     x = sk_X509_value(ctx->chain, i);
     assert(x != NULL);
-    if (!asid_is_canonical(x->rfc3779_asid->asnum) ||
-	!asid_is_canonical(x->rfc3779_asid->rdi))
-      validation_err(X509_V_ERR_INVALID_EXTENSION);
     if (x->rfc3779_asid == NULL) {
       if (child_as != NULL || child_rdi != NULL)
 	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       continue;
     }
+    if (!asid_is_canonical(x->rfc3779_asid->asnum) ||
+	!asid_is_canonical(x->rfc3779_asid->rdi))
+      validation_err(X509_V_ERR_INVALID_EXTENSION);
     if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
       validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       child_as = NULL;
-- 
cgit v1.2.3