crypt32: Use helper function to compare a subject alternate name with name constraints.

dlls/crypt32/chain.c

@@ -823,53 +823,58 @@ static inline PCERT_EXTENSION get_subject_alt_name_ext(const CERT_INFO *cert)
     return ext;
 }
 
-static void CRYPT_CheckNameConstraints(
- const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert,
- DWORD *trustErrorStatus)
+static void compare_alt_name_with_constraints(const CERT_EXTENSION *altNameExt,
+ const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
 {
-    CERT_EXTENSION *ext = get_subject_alt_name_ext(cert);
+    CERT_ALT_NAME_INFO *subjectAltName;
+    DWORD size;
 
-    if (ext)
+    if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
+     altNameExt->Value.pbData, altNameExt->Value.cbData,
+     CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
+     &subjectAltName, &size))
     {
-        CERT_ALT_NAME_INFO *subjectName;
-        DWORD size;
+        DWORD i;
 
-        if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
-         ext->Value.pbData, ext->Value.cbData,
-         CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
-         &subjectName, &size))
+        for (i = 0; i < subjectAltName->cAltEntry; i++)
         {
-            DWORD i;
-
-            for (i = 0; i < subjectName->cAltEntry; i++)
-            {
-                 BOOL nameFormPresent;
-
-                 /* A name constraint only applies if the name form is present.
-                  * From RFC 5280, section 4.2.1.10:
-                  * "Restrictions apply only when the specified name form is
-                  *  present.  If no name of the type is in the certificate,
-                  *  the certificate is acceptable."
-                  */
-                if (alt_name_matches_excluded_name(
-                 &subjectName->rgAltEntry[i], nameConstraints,
-                 trustErrorStatus))
-                    *trustErrorStatus |=
-                     CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
-                nameFormPresent = FALSE;
-                if (!alt_name_matches_permitted_name(
-                 &subjectName->rgAltEntry[i], nameConstraints,
-                 trustErrorStatus, &nameFormPresent) && nameFormPresent)
-                    *trustErrorStatus |=
-                     CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
-            }
-            LocalFree(subjectName);
+             BOOL nameFormPresent;
+
+             /* A name constraint only applies if the name form is present.
+              * From RFC 5280, section 4.2.1.10:
+              * "Restrictions apply only when the specified name form is
+              *  present.  If no name of the type is in the certificate,
+              *  the certificate is acceptable."
+              */
+            if (alt_name_matches_excluded_name(
+             &subjectAltName->rgAltEntry[i], nameConstraints,
+             trustErrorStatus))
+                *trustErrorStatus |=
+                 CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
+            nameFormPresent = FALSE;
+            if (!alt_name_matches_permitted_name(
+             &subjectAltName->rgAltEntry[i], nameConstraints,
+             trustErrorStatus, &nameFormPresent) && nameFormPresent)
+                *trustErrorStatus |=
+                 CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
         }
-        else
-            *trustErrorStatus |=
-             CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
+        LocalFree(subjectAltName);
     }
     else
+        *trustErrorStatus |=
+         CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
+}
+
+static void CRYPT_CheckNameConstraints(
+ const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert,
+ DWORD *trustErrorStatus)
+{
+    CERT_EXTENSION *ext = get_subject_alt_name_ext(cert);
+
+    if (ext)
+        compare_alt_name_with_constraints(ext, nameConstraints,
+         trustErrorStatus);
+    else
     {
         if (nameConstraints->cPermittedSubtree)
             *trustErrorStatus |=