Lamentablemente, SSLv1 aún no está muerto. OpenSSL aún admite v1 para certificados raíz, por ejemplo, en codigo%. Advertencia, comentario de miedo por delante!
static int check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
if(x->ex_flags & EXFLAG_BCONS) {
if(x->ex_flags & EXFLAG_CA) return 1;
/* If basicConstraints says not a CA then say so */
else return 0;
} else {
/* we support V1 roots for... uh, I don't really know why. */
if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
/* If key usage present it must have certSign so tolerate it */
else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
/* Older certificates could have Netscape-specific CA types */
else if (x->ex_flags & EXFLAG_NSCERT
&& x->ex_nscert & NS_ANY_CA) return 5;
/* can this still be regarded a CA certificate? I doubt it */
return 0;
}
}