crypt32: Prohibit name constraints that contain neither an excluded nor a permitted subtree.

85852031 · Juan Lang · Alexandre Julliard · e77e9e45 · 85852031
Commit 85852031 authored Nov 16, 2009 by Juan Lang Committed by Alexandre Julliard Nov 18, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

chain.c dlls/crypt32/chain.c +11 -0

No files found.
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -850,6 +850,17 @@ static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info)
    DWORD i;
    BOOL ret = TRUE;

+    /* Make sure at least one permitted or excluded subtree is present.  From
+     * RFC 5280, section 4.2.1.10:
+     * "Conforming CAs MUST NOT issue certificates where name constraints is an
+     *  empty sequence.  That is, either the permittedSubtrees field or the
+     *  excludedSubtrees MUST be present."
+     */
+    if (!info->cPermittedSubtree && !info->cExcludedSubtree)
+    {
+        WARN_(chain)("constraints contain no permitted nor excluded subtree\n");
+        ret = FALSE;
+    }
    /* Check that none of the constraints specifies a minimum or a maximum.
     * See RFC 5280, section 4.2.1.10:
     * "Within this profile, the minimum and maximum fields are not used with