Juan Lang : crypt32: Microsoft fixed a bug with name constraints, so make Wine's behavior match.
Alexandre Julliard
julliard at winehq.org
Sat Oct 18 13:38:23 CDT 2008
Module: wine
Branch: master
Commit: 25698f8938a7c29d7ea772168b87f1e09f36099e
URL: http://source.winehq.org/git/wine.git/?a=commit;h=25698f8938a7c29d7ea772168b87f1e09f36099e
Author: Juan Lang <juan.lang at gmail.com>
Date: Thu Oct 16 16:42:46 2008 -0700
crypt32: Microsoft fixed a bug with name constraints, so make Wine's behavior match.
---
dlls/crypt32/chain.c | 17 +----------------
dlls/crypt32/tests/chain.c | 6 ++----
2 files changed, 3 insertions(+), 20 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index d086fe6..9365a22 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -560,14 +560,13 @@ static void CRYPT_FindMatchingNameEntry(const CERT_ALT_NAME_ENTRY *constraint,
DWORD errorIfFound, DWORD errorIfNotFound)
{
DWORD i;
- BOOL defined = FALSE, match = FALSE;
+ BOOL match = FALSE;
for (i = 0; i < subjectName->cAltEntry; i++)
{
if (subjectName->rgAltEntry[i].dwAltNameChoice ==
constraint->dwAltNameChoice)
{
- defined = TRUE;
switch (constraint->dwAltNameChoice)
{
case CERT_ALT_NAME_RFC822_NAME:
@@ -595,16 +594,6 @@ static void CRYPT_FindMatchingNameEntry(const CERT_ALT_NAME_ENTRY *constraint,
}
}
}
- /* Microsoft's implementation of name constraint checking appears at odds
- * with RFC 3280:
- * According to MSDN, CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT is set
- * when a name constraint is present, but that name form is not defined in
- * the end certificate. According to RFC 3280, "if no name of the type is
- * in the certificate, the name is acceptable."
- * I follow Microsoft here.
- */
- if (!defined)
- *trustErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
*trustErrorStatus |= match ? errorIfFound : errorIfNotFound;
}
@@ -645,10 +634,6 @@ static void CRYPT_CheckNameConstraints(
}
else
{
- /* See above comment on CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT.
- * I match Microsoft's implementation here as well.
- */
- *trustErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
if (nameConstraints->cPermittedSubtree)
*trustErrorStatus |=
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index bfaa802..5752eff 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -1352,8 +1352,7 @@ static CONST_DATA_BLOB chain5[] = {
};
static const CERT_TRUST_STATUS elementStatus5[] = {
{ CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER },
- { CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |
- CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
+ { CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
CERT_TRUST_IS_UNTRUSTED_ROOT,
CERT_TRUST_HAS_NAME_MATCH_ISSUER | CERT_TRUST_IS_SELF_SIGNED },
};
@@ -1512,8 +1511,7 @@ static ChainCheck chainCheck[] = {
1, simpleStatus4 }, 0 },
{ { sizeof(chain5) / sizeof(chain5[0]), chain5 },
{ { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },
- { CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |
- CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
+ { CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus5 }, 0 },
{ { sizeof(chain6) / sizeof(chain6[0]), chain6 },
{ { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },
More information about the wine-cvs
mailing list