Juan Lang : crypt32: Prohibit name constraints that contain neither an excluded nor a permitted subtree .
Alexandre Julliard
julliard at winehq.org
Wed Nov 18 09:40:39 CST 2009
Module: wine
Branch: master
Commit: 8585203103bf29192af2019d777eb508d1fd01ab
URL: http://source.winehq.org/git/wine.git/?a=commit;h=8585203103bf29192af2019d777eb508d1fd01ab
Author: Juan Lang <juan.lang at gmail.com>
Date: Mon Nov 16 17:55:23 2009 -0800
crypt32: Prohibit name constraints that contain neither an excluded nor a permitted subtree.
---
dlls/crypt32/chain.c | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 52ac5d9..11010d5 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -850,6 +850,17 @@ static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info)
DWORD i;
BOOL ret = TRUE;
+ /* Make sure at least one permitted or excluded subtree is present. From
+ * RFC 5280, section 4.2.1.10:
+ * "Conforming CAs MUST NOT issue certificates where name constraints is an
+ * empty sequence. That is, either the permittedSubtrees field or the
+ * excludedSubtrees MUST be present."
+ */
+ if (!info->cPermittedSubtree && !info->cExcludedSubtree)
+ {
+ WARN_(chain)("constraints contain no permitted nor excluded subtree\n");
+ ret = FALSE;
+ }
/* Check that none of the constraints specifies a minimum or a maximum.
* See RFC 5280, section 4.2.1.10:
* "Within this profile, the minimum and maximum fields are not used with
More information about the wine-cvs
mailing list