From 99121d4dac2b6a8f5a17ba72ea4950afede2d3c5 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Mon, 29 Jun 2009 20:17:20 +0000
Subject: Try harder to detect self-signed certificates.

svn path=/scripts/x509-dot.py; revision=2551
---
 scripts/x509-dot.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'scripts/x509-dot.py')

diff --git a/scripts/x509-dot.py b/scripts/x509-dot.py
index 74977f51..06263e37 100644
--- a/scripts/x509-dot.py
+++ b/scripts/x509-dot.py
@@ -11,10 +11,10 @@ class x509(object):
   ski = None
   aki = None
 
-  show_file    = True
+  show_file    = False
   show_ski     = False
   show_aki     = False
-  show_issuer  = False
+  show_issuer  = True
   show_subject = True
 
   cn_only      = True
@@ -93,9 +93,15 @@ class x509(object):
     for issuer in self.subjects.get(self.issuer, ()):
 
       if issuer is self:
+        print "# Issuer is self"
+        issuer = None
+
+      if issuer is not None and self.aki is not None and self.ski is not None and self.aki == self.ski:
+        print "# Self-signed"
         issuer = None
 
       if issuer is not None and self.aki is not None and issuer.ski is not None and self.aki != issuer.ski:
+        print "# AKI does not match issuer SKI"
         issuer = None
 
       if issuer is not None:
-- 
cgit v1.2.3