From 5ff8fec168374a6591b2b140a2721c7e9d67e77c Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Tue, 31 Jan 2012 03:58:51 +0000
Subject: AKI extension is optional for self-signed RPKI certificates.

svn path=/trunk/; revision=4275
---
 rcynic/rcynic.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'rcynic/rcynic.c')

diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index 3dc3c044..de473a49 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -3500,6 +3500,11 @@ static int check_x509(rcynic_ctx_t *rc,
     goto done;
   }
 
+  if (check_aki(rc, uri, w->cert, x->akid, generation))
+    ex_count--;
+  else if (!certinfo->ta || x->akid)
+    goto done;
+
   if (certinfo->ta) {
 
     if (certinfo->crldp.s[0]) {
@@ -3509,11 +3514,6 @@ static int check_x509(rcynic_ctx_t *rc,
 
   } else {
 
-    if (check_aki(rc, uri, w->cert, x->akid, generation))
-      ex_count--;
-    else
-      goto done;
-
     if (!certinfo->crldp.s[0]) {
       log_validation_status(rc, uri, crldp_uri_missing, generation);
       goto done;
-- 
cgit v1.2.3