From 93707ec4e3ed75f610895a1f044a60dd703edb18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 8 Aug 2007 11:52:52 +0000
Subject: [PATCH] "self-signed doesn't count" doesn't apply to trust anchor
 certificate. make trust anchor check consistant.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21869 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/cert.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 270289a24..3cc87a1be 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1588,7 +1588,7 @@ hx509_verify_path(hx509_context context,
 		goto out;
 	    }
 
-	    if (certificate_is_self_signed(c)) 
+	    if (i + 1 != path.len && certificate_is_self_signed(c)) 
 		selfsigned_depth++;
 
 	    break;
@@ -1760,7 +1760,7 @@ hx509_verify_path(hx509_context context,
 	c = _hx509_get_cert(path.val[i]);
 
 	/* verify name constraints, not for selfsigned and anchor */
-	if (!certificate_is_self_signed(c) || i != path.len - 1) {
+	if (!certificate_is_self_signed(c) || i + 1 != path.len) {
 	    ret = check_name_constraints(context, &nc, c);
 	    if (ret) {
 		goto out;
@@ -1833,7 +1833,7 @@ hx509_verify_path(hx509_context context,
 	c = _hx509_get_cert(path.val[i]);
 
 	/* is last in chain (trust anchor) */
-	if (i == path.len - 1) {
+	if (i + 1 == path.len) {
 	    signer = path.val[i]->data;
 
 	    /* if trust anchor is not self signed, don't check sig */