goto memerr;
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
- int i;
+ int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
+ cbcalled = 1;
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
}
+ if (!cbcalled) {
+ /* Should not be able to get here */
+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {