diff options
author | wbond <will@wbond.net> | 2017-11-20 07:31:11 -0500 |
---|---|---|
committer | wbond <will@wbond.net> | 2017-11-20 07:31:11 -0500 |
commit | 764716321c4cca85115906bcf82b6a6d74d6f764 (patch) | |
tree | 3b7889096264ca369859630184e83ff22bb8323a /asn1crypto/x509.py | |
parent | 617d19a3545f4b645b217e3e342c0b7ae9c60277 (diff) | |
download | asn1crypto-764716321c4cca85115906bcf82b6a6d74d6f764.tar.gz |
Don't ever return "yes" from x509.Certificate.self_signed
Diffstat (limited to 'asn1crypto/x509.py')
-rw-r--r-- | asn1crypto/x509.py | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/asn1crypto/x509.py b/asn1crypto/x509.py index f051e40..df37205 100644 --- a/asn1crypto/x509.py +++ b/asn1crypto/x509.py @@ -2513,11 +2513,14 @@ class Certificate(Sequence): def self_signed(self): """ :return: - A unicode string of "yes", "no" or "maybe". The "maybe" result will - be returned if the certificate does not contain a key identifier - extension, but is issued by the subject. In this case the - certificate signature will need to be verified using the subject - public key to determine a "yes" or "no" answer. + A unicode string of "no" or "maybe". The "maybe" result will + be returned if the certificate issuer and subject are the same. + If a key identifier and authority key identifier are present, + they will need to match otherwise "no" will be returned. + + To verify is a certificate is truly self-signed, the signature + will need to be verified. See the certvalidator package for + one possible solution. """ if self._self_signed is None: @@ -2525,9 +2528,9 @@ class Certificate(Sequence): if self.self_issued: if self.key_identifier: if not self.authority_key_identifier: - self._self_signed = 'yes' + self._self_signed = 'maybe' elif self.authority_key_identifier == self.key_identifier: - self._self_signed = 'yes' + self._self_signed = 'maybe' else: self._self_signed = 'maybe' return self._self_signed |