Include self-signed flag in certificates by checking SKID/AKID as well

as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
(cherry picked from commit b1efb7161f)

crypto/x509v3/v3_purp.c

@@ -368,9 +368,6 @@ static void x509v3_cache_extensions(X509 *x)
 #ifndef OPENSSL_NO_SHA
 	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
 #endif
-	/* Does subject name match issuer ? */
-	if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-			 x->ex_flags |= EXFLAG_SI;
 	/* V1 should mean no extensions ... */
 	if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
 	/* Handle basic constraints */
@@ -464,6 +461,14 @@ static void x509v3_cache_extensions(X509 *x)
 	}
 	x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
 	x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+	/* Does subject name match issuer ? */
+	if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
+			{
+			x->ex_flags |= EXFLAG_SI;
+			/* If SKID matches AKID also indicate self signed */
+			if (X509_check_akid(x, x->akid) == X509_V_OK)
+				x->ex_flags |= EXFLAG_SS;
+			}
 	x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
 	x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
 	if (!x->nc && (i != -1))

crypto/x509v3/x509v3.h

@@ -414,7 +414,6 @@ struct ISSUING_DIST_POINT_st
 #define EXFLAG_CA		0x10
 /* Really self issued not necessarily self signed */
 #define EXFLAG_SI		0x20
-#define EXFLAG_SS		0x20
 #define EXFLAG_V1		0x40
 #define EXFLAG_INVALID		0x80
 #define EXFLAG_SET		0x100
@@ -423,6 +422,8 @@ struct ISSUING_DIST_POINT_st
 
 #define EXFLAG_INVALID_POLICY	0x800
 #define EXFLAG_FRESHEST		0x1000
+/* Self signed */
+#define EXFLAG_SS		0x2000
 
 #define KU_DIGITAL_SIGNATURE	0x0080
 #define KU_NON_REPUDIATION	0x0040