Skip to content

W
wine-cw
Commit 6f35ae25 authored by Juan Lang's avatar Juan Lang Committed by Alexandre Julliard
Browse files
Options

crypt32: Use helper function to compare a subject alternate name with name constraints.

parent a98dad4f
Hide whitespace changes
Inline Side-by-side
Showing with 44 additions and 39 deletions
dlls/crypt32/chain.c
View file @ 6f35ae25
...@@ -823,53 +823,58 @@ static inline PCERT_EXTENSION get_subject_alt_name_ext(const CERT_INFO *cert) ...@@ -823,53 +823,58 @@ static inline PCERT_EXTENSION get_subject_alt_name_ext(const CERT_INFO *cert)
return ext; return ext;
} }
static void CRYPT_CheckNameConstraints( static void compare_alt_name_with_constraints(const CERT_EXTENSION *altNameExt,
const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
DWORD *trustErrorStatus)
{ {
CERT_EXTENSION *ext = get_subject_alt_name_ext(cert); CERT_ALT_NAME_INFO *subjectAltName;
DWORD size;
if (ext) if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
altNameExt->Value.pbData, altNameExt->Value.cbData,
CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
&subjectAltName, &size))
{ {
CERT_ALT_NAME_INFO *subjectName; DWORD i;
DWORD size;
if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME, for (i = 0; i < subjectAltName->cAltEntry; i++)
ext->Value.pbData, ext->Value.cbData,
CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
&subjectName, &size))
{ {
DWORD i; BOOL nameFormPresent;
for (i = 0; i < subjectName->cAltEntry; i++) /* A name constraint only applies if the name form is present.
{ * From RFC 5280, section 4.2.1.10:
BOOL nameFormPresent; * "Restrictions apply only when the specified name form is
* present. If no name of the type is in the certificate,
/* A name constraint only applies if the name form is present. * the certificate is acceptable."
* From RFC 5280, section 4.2.1.10: */
* "Restrictions apply only when the specified name form is if (alt_name_matches_excluded_name(
* present. If no name of the type is in the certificate, &subjectAltName->rgAltEntry[i], nameConstraints,
* the certificate is acceptable." trustErrorStatus))
*/ *trustErrorStatus |=
if (alt_name_matches_excluded_name( CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
&subjectName->rgAltEntry[i], nameConstraints, nameFormPresent = FALSE;
trustErrorStatus)) if (!alt_name_matches_permitted_name(
*trustErrorStatus |= &subjectAltName->rgAltEntry[i], nameConstraints,
CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT; trustErrorStatus, &nameFormPresent) && nameFormPresent)
nameFormPresent = FALSE; *trustErrorStatus |=
if (!alt_name_matches_permitted_name( CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
&subjectName->rgAltEntry[i], nameConstraints,
trustErrorStatus, &nameFormPresent) && nameFormPresent)
*trustErrorStatus |=
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
}
LocalFree(subjectName);
} }
else LocalFree(subjectAltName);
*trustErrorStatus |=
CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
} }
else else
*trustErrorStatus |=
CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
}
static void CRYPT_CheckNameConstraints(
const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert,
DWORD *trustErrorStatus)
{
CERT_EXTENSION *ext = get_subject_alt_name_ext(cert);
if (ext)
compare_alt_name_with_constraints(ext, nameConstraints,
trustErrorStatus);
else
{ {
if (nameConstraints->cPermittedSubtree) if (nameConstraints->cPermittedSubtree)
*trustErrorStatus |= *trustErrorStatus |=
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment