Commit 85852031 authored by Juan Lang's avatar Juan Lang Committed by Alexandre Julliard

crypt32: Prohibit name constraints that contain neither an excluded nor a permitted subtree.

parent e77e9e45
...@@ -850,6 +850,17 @@ static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info) ...@@ -850,6 +850,17 @@ static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info)
DWORD i; DWORD i;
BOOL ret = TRUE; BOOL ret = TRUE;
/* Make sure at least one permitted or excluded subtree is present. From
* RFC 5280, section 4.2.1.10:
* "Conforming CAs MUST NOT issue certificates where name constraints is an
* empty sequence. That is, either the permittedSubtrees field or the
* excludedSubtrees MUST be present."
*/
if (!info->cPermittedSubtree && !info->cExcludedSubtree)
{
WARN_(chain)("constraints contain no permitted nor excluded subtree\n");
ret = FALSE;
}
/* Check that none of the constraints specifies a minimum or a maximum. /* Check that none of the constraints specifies a minimum or a maximum.
* See RFC 5280, section 4.2.1.10: * See RFC 5280, section 4.2.1.10:
* "Within this profile, the minimum and maximum fields are not used with * "Within this profile, the minimum and maximum fields are not used with
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment