crypt32: Accept a certificate if its name matches any permitted subtree of a name constraint.

c464875a · Juan Lang · Alexandre Julliard · d6f7d06c · c464875a
Commit c464875a authored Nov 17, 2009 by Juan Lang Committed by Alexandre Julliard Nov 18, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 8 deletions

chain.c dlls/crypt32/chain.c +11 -8

No files found.
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -987,18 +987,21 @@ static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
            *trustErrorStatus |=
             CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
    }
-    for (i = 0; i < nameConstraints->cPermittedSubtree; i++)
+    if (nameConstraints->cPermittedSubtree)
    {
-        CERT_ALT_NAME_ENTRY *constraint =
+        BOOL match = FALSE;
-         &nameConstraints->rgPermittedSubtree[i].Base;
-        if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
+        for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
        {
-            if (!directory_name_matches(&constraint->u.DirectoryName,
+            CERT_ALT_NAME_ENTRY *constraint =
-             subjectName))
+             &nameConstraints->rgPermittedSubtree[i].Base;
-                *trustErrorStatus |=
-                 CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
+            if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
+                match = directory_name_matches(&constraint->u.DirectoryName,
+                 subjectName);
        }
+        if (!match)
+            *trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
    }
 }