crypt32: Microsoft fixed a bug with name constraints, so make Wine's behavior match.

25698f89 · Juan Lang · Alexandre Julliard · 4615b1c0 · 25698f89 · 25698f89
Commit 25698f89 authored Oct 16, 2008 by Juan Lang Committed by Alexandre Julliard Oct 17, 2008
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 20 deletions

chain.c dlls/crypt32/chain.c +1 -16

chain.c dlls/crypt32/tests/chain.c +2 -4

No files found.
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -560,14 +560,13 @@ static void CRYPT_FindMatchingNameEntry(const CERT_ALT_NAME_ENTRY *constraint,
 DWORD errorIfFound, DWORD errorIfNotFound)
 {
    DWORD i;
-    BOOL defined = FALSE, match = FALSE;
+    BOOL match = FALSE;

    for (i = 0; i < subjectName->cAltEntry; i++)
    {
        if (subjectName->rgAltEntry[i].dwAltNameChoice ==
         constraint->dwAltNameChoice)
        {
-            defined = TRUE;
            switch (constraint->dwAltNameChoice)
            {
            case CERT_ALT_NAME_RFC822_NAME:
@@ -595,16 +594,6 @@ static void CRYPT_FindMatchingNameEntry(const CERT_ALT_NAME_ENTRY *constraint,
            }
        }
    }
-    /* Microsoft's implementation of name constraint checking appears at odds
-     * with RFC 3280:
-     * According to MSDN, CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT is set
-     * when a name constraint is present, but that name form is not defined in
-     * the end certificate.  According to RFC 3280, "if no name of the type is
-     * in the certificate, the name is acceptable."
-     * I follow Microsoft here.
-     */
-    if (!defined)
-        *trustErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
    *trustErrorStatus |= match ? errorIfFound : errorIfNotFound;
 }

@@ -645,10 +634,6 @@ static void CRYPT_CheckNameConstraints(
        }
        else
        {
-            /* See above comment on CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT.
-             * I match Microsoft's implementation here as well.
-             */
-            *trustErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
            if (nameConstraints->cPermittedSubtree)
                *trustErrorStatus |=
                 CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;

--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -1352,8 +1352,7 @@ static CONST_DATA_BLOB chain5[] = {
 };
 static const CERT_TRUST_STATUS elementStatus5[] = {
 { CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER },
- { CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |
-   CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
+ { CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
   CERT_TRUST_IS_UNTRUSTED_ROOT,
   CERT_TRUST_HAS_NAME_MATCH_ISSUER | CERT_TRUST_IS_SELF_SIGNED },
 };
@@ -1512,8 +1511,7 @@ static ChainCheck chainCheck[] = {
     1, simpleStatus4 }, 0 },
 { { sizeof(chain5) / sizeof(chain5[0]), chain5 },
   { { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },
-     { CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |
-       CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
+     { CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
       CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus5 }, 0 },
 { { sizeof(chain6) / sizeof(chain6[0]), chain6 },
   { { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },