Juan Lang : crypt32: Don' t apply directory name constraints to an empty subject name.
Alexandre Julliard
julliard at winehq.org
Wed Nov 18 09:40:40 CST 2009
Module: wine
Branch: master
Commit: a63affe5e0127c3e21898fff23167d0d096e2585
URL: http://source.winehq.org/git/wine.git/?a=commit;h=a63affe5e0127c3e21898fff23167d0d096e2585
Author: Juan Lang <juan.lang at gmail.com>
Date: Tue Nov 17 13:57:52 2009 -0800
crypt32: Don't apply directory name constraints to an empty subject name.
---
dlls/crypt32/chain.c | 24 +++++++++++++++++++++++-
1 files changed, 23 insertions(+), 1 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 72f5e24..df94523 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -950,6 +950,22 @@ static void compare_subject_with_email_constraints(
CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
}
+static BOOL CRYPT_IsEmptyName(const CERT_NAME_BLOB *name)
+{
+ BOOL empty;
+
+ if (!name->cbData)
+ empty = TRUE;
+ else if (name->cbData == 2 && name->pbData[1] == 0)
+ {
+ /* An empty sequence is also empty */
+ empty = TRUE;
+ }
+ else
+ empty = FALSE;
+ return empty;
+}
+
static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
{
@@ -987,7 +1003,13 @@ static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
*trustErrorStatus |=
CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
}
- if (nameConstraints->cPermittedSubtree)
+ /* RFC 5280, section 4.2.1.10:
+ * "Restrictions apply only when the specified name form is present.
+ * If no name of the type is in the certificate, the certificate is
+ * acceptable."
+ * An empty name can't have the name form present, so don't check it.
+ */
+ if (nameConstraints->cPermittedSubtree && !CRYPT_IsEmptyName(subjectName))
{
BOOL match = FALSE;
More information about the wine-cvs
mailing list