Juan Lang : crypt32: Use helper function to compare a subject alternate name with name constraints .
Alexandre Julliard
julliard at winehq.org
Wed Nov 18 09:40:39 CST 2009
Module: wine
Branch: master
Commit: 6f35ae25b8043b0b6200b347847d05ee1b0d7c30
URL: http://source.winehq.org/git/wine.git/?a=commit;h=6f35ae25b8043b0b6200b347847d05ee1b0d7c30
Author: Juan Lang <juan.lang at gmail.com>
Date: Tue Nov 17 12:19:46 2009 -0800
crypt32: Use helper function to compare a subject alternate name with name constraints.
---
dlls/crypt32/chain.c | 83 ++++++++++++++++++++++++++-----------------------
1 files changed, 44 insertions(+), 39 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 8c7ad5b..14e716a 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -823,53 +823,58 @@ static inline PCERT_EXTENSION get_subject_alt_name_ext(const CERT_INFO *cert)
return ext;
}
-static void CRYPT_CheckNameConstraints(
- const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert,
- DWORD *trustErrorStatus)
+static void compare_alt_name_with_constraints(const CERT_EXTENSION *altNameExt,
+ const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
{
- CERT_EXTENSION *ext = get_subject_alt_name_ext(cert);
+ CERT_ALT_NAME_INFO *subjectAltName;
+ DWORD size;
- if (ext)
+ if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
+ altNameExt->Value.pbData, altNameExt->Value.cbData,
+ CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
+ &subjectAltName, &size))
{
- CERT_ALT_NAME_INFO *subjectName;
- DWORD size;
+ DWORD i;
- if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
- ext->Value.pbData, ext->Value.cbData,
- CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
- &subjectName, &size))
+ for (i = 0; i < subjectAltName->cAltEntry; i++)
{
- DWORD i;
-
- for (i = 0; i < subjectName->cAltEntry; i++)
- {
- BOOL nameFormPresent;
-
- /* A name constraint only applies if the name form is present.
- * From RFC 5280, section 4.2.1.10:
- * "Restrictions apply only when the specified name form is
- * present. If no name of the type is in the certificate,
- * the certificate is acceptable."
- */
- if (alt_name_matches_excluded_name(
- &subjectName->rgAltEntry[i], nameConstraints,
- trustErrorStatus))
- *trustErrorStatus |=
- CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
- nameFormPresent = FALSE;
- if (!alt_name_matches_permitted_name(
- &subjectName->rgAltEntry[i], nameConstraints,
- trustErrorStatus, &nameFormPresent) && nameFormPresent)
- *trustErrorStatus |=
- CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
- }
- LocalFree(subjectName);
+ BOOL nameFormPresent;
+
+ /* A name constraint only applies if the name form is present.
+ * From RFC 5280, section 4.2.1.10:
+ * "Restrictions apply only when the specified name form is
+ * present. If no name of the type is in the certificate,
+ * the certificate is acceptable."
+ */
+ if (alt_name_matches_excluded_name(
+ &subjectAltName->rgAltEntry[i], nameConstraints,
+ trustErrorStatus))
+ *trustErrorStatus |=
+ CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
+ nameFormPresent = FALSE;
+ if (!alt_name_matches_permitted_name(
+ &subjectAltName->rgAltEntry[i], nameConstraints,
+ trustErrorStatus, &nameFormPresent) && nameFormPresent)
+ *trustErrorStatus |=
+ CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
}
- else
- *trustErrorStatus |=
- CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
+ LocalFree(subjectAltName);
}
else
+ *trustErrorStatus |=
+ CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
+}
+
+static void CRYPT_CheckNameConstraints(
+ const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert,
+ DWORD *trustErrorStatus)
+{
+ CERT_EXTENSION *ext = get_subject_alt_name_ext(cert);
+
+ if (ext)
+ compare_alt_name_with_constraints(ext, nameConstraints,
+ trustErrorStatus);
+ else
{
if (nameConstraints->cPermittedSubtree)
*trustErrorStatus |=
More information about the wine-cvs
mailing list